Low

clearml

Insecure Temporary File Creation

The clearml codebase, specifically version 1.14.1, was found to use the unsafe tempfile.mktemp function for creating temporary files, leading to potential security and reliability risks. This issue was addressed and patched in version 1.14.2.

Available publicly on Feb 24 2024

2.8

CVE:

No CVE

CVSS:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Threat Overview

The vulnerability arises from the use of the deprecated tempfile.mktemp function within the clearml codebase for downloading remote content into temporary files. This function is unsafe because it may generate non-unique filenames in multi-process environments, lacks proper security checks, and is deprecated in Python 3, leading to potential file overwrites or exposure of sensitive information.

Attack Scenario

An attacker could exploit this vulnerability by predicting the name of a temporary file and creating a malicious file with the same name before the legitimate file is created. This could lead to the application processing malicious content under the guise of legitimate operations, potentially leading to code execution or data leakage.

Who is affected

Developers and users of the clearml package version 1.14.1 are affected by this vulnerability. Specifically, environments where clearml is used for downloading and processing remote content into temporary files are at risk.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.