Lucene search

K
githubGitHub Advisory DatabaseGHSA-WF7F-8FXF-XFXC
HistoryJun 04, 2024 - 12:31 p.m.

MLFlow unsafe deserialization

2024-06-0412:31:05
CWE-502
GitHub Advisory Database
github.com
17
mlflow
unsafe deserialization
pytorch
arbitrary code
security issue
software vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0

Percentile

9.0%

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Affected configurations

Vulners
Node
-mlflowRange0.5.02.14.1
VendorProductVersionCPE
-mlflow*cpe:2.3:a:-:mlflow:*:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0

Percentile

9.0%