CVE-2024-45857

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Sep 12, 2024
CWE ID 502

Summary

CVE-2024-45857 identifies a vulnerability in versions 2.4.0 and newer of the Cleanlab project, which allows for deserialization of untrusted data through a maliciously crafted datalab.pkl file. This flaw can enable arbitrary code execution on an end user's system when the data directory is loaded, posing significant risks to an organization's integrity and confidentiality, as indicated by a base severity score of 7.8. The attack requires local user interaction, making it essential for users to exercise caution when handling potentially unsafe files. To mitigate this vulnerability, organizations should upgrade to a fixed version of Cleanlab or implement strict validation mechanisms for data files before loading them. The potential impact includes high availability risks due to the possibility of unauthorized code execution.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share