ClearML < 1.16.0 Unauthenticated File Access

critical Web App Scanning Plugin ID 114939

Language:

Synopsis

ClearML < 1.16.0 Unauthenticated File Access

Description

According to its banner, the version of ClearML running on the remote host is < 1.16.0. It is, therefore, affected by an Unauthenticated File Access due to the lack of authentication of the fileserver component.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ClearML version 1.16.0 or later.

See Also

https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/

Plugin Details

Severity: Critical

ID: 114939

Type: remote

Family: Artificial Intelligence

Published: 8/11/2025

Updated: 8/11/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-24592

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-24592

Vulnerability Information

CPE: cpe:2.3:a:clearml:clearml:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/5/2024

Reference Information

CVE: CVE-2024-24592

CWE: 287

OWASP: 2010-A3, 2013-A2, 2017-A2, 2021-A7

WASC: Insufficient Authentication

CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94

DISA STIG: APSC-DV-000460

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

PCI-DSS: 3.2-6.5.10