Sightline

Low

clearml

Insecure Temporary File Creation

The clearml codebase, specifically version 1.14.1, was found to use the unsafe tempfile.mktemp function for creating temporary files, leading to potential security and reliability risks. This issue was addressed and patched in version 1.14.2.

Available publicly on Feb 24 2024 | Available with Premium on Feb 09 2024

CVE:

No CVE

CWE:

377:Insecure Temporary File

CVSS:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Credit:

saimanikanta1992

Assess Detect

Unavailable

Remediate

Remediation Steps

Upgrade to clearml version 1.14.2 or later.
Replace usage of tempfile.mktemp with safer alternatives such as tempfile.mkstemp or tempfile.NamedTemporaryFile.
Conduct a thorough security review of temporary file handling practices to ensure they meet current security standards.
Implement additional checks and validations when processing temporary files to prevent execution of untrusted code.

Patch Details

Fixed Version: 1.14.2
Patch Commit: https://github.com/allegroai/clearml/commit/0a928c24cad7ec4602fd169d801576baabdf7135

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 436- related security advisories that are available with Sightline Premium.