CVE-2024-24595: 
ClearML Server vulnerability analysis and mitigation

Allegro AI's open-source version of ClearML contains a security vulnerability (CVE-2024-24595) where user passwords are stored in plaintext within the MongoDB instance. This vulnerability was discovered and disclosed by the HiddenLayer SAI team as part of their research into MLOps solutions (HiddenLayer Research).

The vulnerability exists within the open-source version of the ClearML Server MongoDB instance, which lacks proper access control mechanisms. The MongoDB instance stores user information and credentials in an unencrypted, plaintext format. While the MongoDB instance is not externally exposed by default, the vulnerability becomes critical if an attacker gains access to the server (HiddenLayer Research).

If exploited, this vulnerability could lead to the compromise of user credentials stored in the MongoDB instance. An attacker with access to the server could retrieve ClearML user information and credentials using tools like mongosh, potentially leading to the compromise of other accounts owned by the affected users (HiddenLayer Research).

The vulnerability was disclosed to ClearML through responsible disclosure practices, and the team worked to resolve the issues within a 90-day window. Organizations using ClearML should ensure proper access controls are implemented for their MongoDB instances and follow security best practices for credential storage (HiddenLayer Research).

The disclosure process demonstrated a positive working relationship between security teams and product developers, with ClearML responding promptly to address the vulnerability. This collaborative approach has been noted as an example of how responsible disclosure can improve security posture throughout the community (HiddenLayer Research).