CVE-2021-42951

Vulnerability

A Remote Code Execution (RCE) vulnerability exists in Algorithmia MSOL (Machine Learning Operations) all SaaS versions before October 10, 2021. The bug allows an authenticated user to create a specially crafted Algorithm which, when processed, triggers arbitrary code execution on the platform's backend. The vulnerability is reachable through the legitimate user workflow of creating and deploying algorithms.

Exploitation

An attacker must first register for an account on the Algorithmia MSOL SaaS instance and authenticate. The platform allocates a set number of credits to new users for trial purposes, which is sufficient to perform the attack. Once authenticated, the attacker creates a new Algorithm and crafts its payload in a way that, upon submission or deployment, executes shell commands or arbitrary code of the attacker's choosing. No additional privilege escalation or user interaction beyond the initial authentication is required.

Impact

Successful exploitation allows the attacker to achieve Remote Code Execution (RCE) on the platform's servers. This leads to a complete compromise of confidentiality, integrity, and availability — the attacker can read, modify, or delete any data accessible to the service, potentially affecting other users and the entire SaaS environment.

Mitigation

The vulnerability was patched by the vendor on October 10, 2021. All customers running Algorithmia MSOL SaaS versions prior to that date are affected and should ensure their instance is updated to the latest version. No workarounds are documented in the available references [1]. Users are advised to contact DataRobot (which acquired Algorithmia) for specific patch information.