Insecure Temporary File Creation
The clearml codebase, specifically version 1.14.1, was found to use the unsafe tempfile.mktemp function for creating temporary files, leading to potential security and reliability risks. This issue was addressed and patched in version 1.14.2.
Available publicly on Feb 24 2024 | Available with Premium on Feb 09 2024
Remediation Steps
- Upgrade to clearml version 1.14.2 or later.
- Replace usage of tempfile.mktemp with safer alternatives such as tempfile.mkstemp or tempfile.NamedTemporaryFile.
- Conduct a thorough security review of temporary file handling practices to ensure they meet current security standards.
- Implement additional checks and validations when processing temporary files to prevent execution of untrusted code.
Patch Details
- Fixed Version: 1.14.2
- Patch Commit: https://github.com/allegroai/clearml/commit/0a928c24cad7ec4602fd169d801576baabdf7135
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.