Lucene search

HiddenLayerCVELIST:CVE-2024-24594

HistoryFeb 06, 2024 - 2:42 p.m.

CVE-2024-24594

2024-02-0614:42:08

CWE-79

HiddenLayer

www.cve.org

cve-2024-24594

cross-site scripting

web server

allegro ai

clearml

remote attacker

javascript payload

debug samples tab

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.4%

JSON

A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "packageName": "clearml-web",
    "product": "ClearML",
    "repo": "https://github.com/allegroai/clearml-web",
    "vendor": "Allegro.AI",
    "versions": [
      {
        "lessThanOrEqual": "*",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.4%

JSON

Related for CVELIST:CVE-2024-24594