Insecure Temporary File Creation
The clearml codebase, specifically version 1.14.1, was found to use the unsafe tempfile.mktemp function for creating temporary files, leading to potential security and reliability risks. This issue was addressed and patched in version 1.14.2.
Available publicly on Feb 24 2024 | Available with Premium on Feb 09 2024
Threat Overview
The vulnerability arises from the use of the deprecated tempfile.mktemp function within the clearml codebase for downloading remote content into temporary files. This function is unsafe because it may generate non-unique filenames in multi-process environments, lacks proper security checks, and is deprecated in Python 3, leading to potential file overwrites or exposure of sensitive information.
Attack Scenario
An attacker could exploit this vulnerability by predicting the name of a temporary file and creating a malicious file with the same name before the legitimate file is created. This could lead to the application processing malicious content under the guise of legitimate operations, potentially leading to code execution or data leakage.
Who is affected
Developers and users of the clearml package version 1.14.1 are affected by this vulnerability. Specifically, environments where clearml is used for downloading and processing remote content into temporary files are at risk.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.