CVE-2024-24595 is a vulnerability identified in Allegro AI's open-source ClearML platform, specifically related to insufficient protection of user credentials (CWE-522). The issue arises because ClearML stores user passwords in plaintext within its MongoDB database instance. This insecure storage practice means that if an attacker gains access to the MongoDB server, they can directly retrieve all user emails and passwords without needing to bypass encryption or hashing mechanisms. The vulnerability affects version 0 of ClearML, indicating early or initial releases of the product. According to the CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N), exploitation requires local access with high privileges but no user interaction, and it results in high confidentiality and integrity impact, though availability is not affected. The vulnerability does not have known exploits in the wild yet. The root cause is the failure to implement secure credential storage best practices, such as hashing passwords with a strong algorithm and salting, or using dedicated secrets management solutions. This flaw exposes organizations using ClearML to significant risk of credential compromise if their MongoDB instances are improperly secured or accessed by malicious insiders or attackers who have escalated privileges.

For European organizations using ClearML, this vulnerability poses a serious risk to user credential confidentiality and integrity. If an attacker gains local access to the MongoDB instance, they can extract plaintext passwords and emails, potentially leading to account takeover, lateral movement within the network, and further compromise of sensitive machine learning workflows and data. Given that ClearML is used for managing machine learning experiments and infrastructure, exposure of credentials could also lead to unauthorized access to intellectual property, proprietary models, and sensitive datasets. The impact is heightened in regulated industries prevalent in Europe, such as finance, healthcare, and manufacturing, where data protection laws like GDPR impose strict requirements on credential security and breach notification. Additionally, compromised credentials could be reused on other systems if password reuse occurs, amplifying the risk. The medium CVSS score reflects the requirement for local privileged access, which limits remote exploitation but does not eliminate risk from insider threats or attackers who have already breached perimeter defenses.

European organizations should immediately audit their ClearML deployments to identify if they are running affected versions. Since no official patch links are provided, organizations should consider the following mitigations: 1) Restrict and monitor access to MongoDB instances hosting ClearML data, enforcing strict access controls and network segmentation to prevent unauthorized local access. 2) Implement encryption at rest for MongoDB databases to protect stored data even if the server is compromised. 3) Replace plaintext password storage by customizing ClearML or applying post-deployment scripts to hash existing passwords using strong algorithms (e.g., bcrypt, Argon2) and enforce password resets for all users. 4) Employ robust logging and alerting on MongoDB access patterns to detect suspicious activity early. 5) Use multi-factor authentication (MFA) for ClearML user accounts and administrative access to reduce the risk of credential misuse. 6) Regularly review and update ClearML and MongoDB configurations to follow security best practices, including disabling unnecessary local access and applying principle of least privilege. 7) Educate internal teams about the risks of insider threats and enforce strict operational security policies around credential handling.