PyPI package
clearml
pkg:pypi/clearml
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-8917 | Med | 5.8 | < 2.0.2 | 2.0.2 | Oct 5, 2025 | A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execu | |
| CVE-2024-24591 | — | >= 0.17.0, <= 1.14.1 | — | Feb 6, 2024 | A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with. | ||
| CVE-2024-24590 | — | >= 0.17.0, <= 1.14.1 | — | Feb 6, 2024 | Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-24595 | — | <= 1.14.2 | — | Feb 5, 2024 | Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords. |
- affected < 2.0.2fixed 2.0.2
A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execu
- CVE-2024-24591Feb 6, 2024affected >= 0.17.0, <= 1.14.1
A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with.
- CVE-2024-24590Feb 6, 2024affected >= 0.17.0, <= 1.14.1
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-24595Feb 5, 2024affected <= 1.14.2
Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords.