CVE-2024-24591: 
ClearML Server vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Allegro AI's ClearML platform, specifically affecting versions 1.4.0 to 1.14.1 of the client SDK. The vulnerability was identified and disclosed by HiddenLayer's SAI team, with the CVE being assigned on January 25, 2024 (CVE Mitre, HiddenLayer Research).

The vulnerability exists within the Datasets class inside the downloadexternal_files method of the ClearML client SDK. When a user interacts with a dataset, particularly when using the Dataset.squash method, the vulnerability can be triggered. The flaw allows an attacker to specify arbitrary file paths through external links, including the ability to use the file:// protocol, which can potentially expose sensitive local files (HiddenLayer Research).

The vulnerability enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user's system when interacted with. This could potentially lead to sensitive data exposure if local files are moved to externally accessible directories (HiddenLayer Research).

Following responsible disclosure practices, the vulnerability was reported to ClearML before public disclosure, and the team worked to resolve the issues within a 90-day window. Users should upgrade to versions newer than 1.14.1 to mitigate this vulnerability (HiddenLayer Research).