Lucene search

6f8de1f0-f67e-45a6-b68f-98777fdb759cNVD:CVE-2024-37055

HistoryJun 04, 2024 - 12:15 p.m.

CVE-2024-37055

2024-06-0412:15:11

CWE-502

6f8de1f0-f67e-45a6-b68f-98777fdb759c

web.nvd.nist.gov

mlflow

cve-2024-37055

vulnerability

deserialization

untrusted data

arbitrary code

pmdarima model

malicious

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

References

hiddenlayer.com/sai-security-advisory/mlflow-june2024

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for NVD:CVE-2024-37055