search

allegroai / clearml-server

ClearML - Auto-Magical CI/CD to streamline your AI workload. Experiment Management, Data Management, Pipeline, Orchestration, Scheduling & Serving in one MLOps/LLMOps solution
https://clear.ml/docs
Other
386 stars 134 forks source link

Curl 7.69 < 8.4.0 Heap Buffer Overflow vulnerability #234

Open lions1988 opened 8 months ago

lions1988 commented 8 months ago

Hey team

Our Nesssus scanners detected the following vulnerability on our self-hosted ClearML Curl 7.69 < 8.4.0 Heap Buffer Overflow

ClearML versions: WebApp: 1.14.0-431 • Server: 1.14.0-431 • API: 2.28 Nessus plugin: https://www.tenable.com/plugins/nessus/182875 CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-38545

I can assume these issues are coming from the base OS image, I have seen this on the following containers:

apiserver
fileserver
elastic
async_delete

Please advice Thank you

ainoam commented 8 months ago

Thanks for pointing this out @lions1988.

The base images for the upcoming server release of v1.15.0 will include the patched version for curl to fix this issue.

pollfly commented 8 months ago

Hey @lions1988! Just letting you know that this issue has been resolved in the recently released v1.15.0. Let us know if there are any issues :)