AVID-2026-R1438

Description

Vulnerability CVE-2024-24593

Details

A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed off networks.

Reason for inclusion in AVID: CVE-2024-24593 describes a cross-site request forgery vulnerability in the API server component of Allegro AI’s ClearML platform. ClearML is an AI/ML workflow management platform widely used in ML pipelines for experiment tracking, data handling, and deployment. A CSRF vulnerability enabling impersonation and access to confidential workspaces/files constitutes a security vulnerability with direct impact on AI software stacks. The issue affects a software component used to build/deploy/run general-purpose AI systems, making it a relevant supply-chain risk in GP AI contexts. The report provides explicit vulnerability behavior, scope, and references (CVE/NVD).

References

• NVD entry
• https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/

Affected or Relevant Artifacts

• Developer: Allegro.AI
• Deployer: Allegro.AI
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-02-06
• Version: 0.3.3
• AVID Entry