clearml@1.11.1rc2 vulnerabilities

ClearML - Auto-Magical Experiment Manager, Version Control, and MLOps for AI

  • latest version

    1.17.0

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    9 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the clearml package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Deserialization of Untrusted Data

    clearml is a ClearML - Auto-Magical Experiment Manager, Version Control, and MLOps for AI

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can execute arbitrary code on an end user's system by uploading a malicious pickle file as an artifact that triggers the deserialization flaw when a user calls the get method within the Artifact class to download and load a file into memory.

    How to fix Deserialization of Untrusted Data?

    Upgrade clearml to version 1.14.3rc0 or higher.

    [0.17.0,1.14.3rc0)
    • H
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    clearml is a ClearML - Auto-Magical Experiment Manager, Version Control, and MLOps for AI

    Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') inside the Datasets class within the _download_external_files method. An attacker can upload a malicious dataset that can write local or remote files to an arbitrary location on the system when a user interacts with it.

    How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

    Upgrade clearml to version 1.14.2 or higher.

    [,1.14.2)