Lucene search

Veracode Vulnerability DatabaseVERACODE:47014

HistoryMay 17, 2024 - 11:30 a.m.

Improper Access Control

2024-05-1711:30:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mlflow

vulnerability

improper validation

delete requests

unauthorized deletions

artifacts

access control

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

mlflow is vulnerable to Improper Access Control. The vulnerability is due to improper validation of DELETE requests by users with EDIT permissions, allowing unauthorized deletions of artifacts.

CPENameOperatorVersion
mlflowle2.12.0
mlflowle2.12.0

CPE	Name	Operator	Version
	mlflow	le	2.12.0
	mlflow	le	2.12.0

References

github.com/advisories/GHSA-p4jx-q62p-x5jr

github.com/mlflow/mlflow/commit/b43e0e3de5b500554e13dc032ba2083b2d6c94b8

github.com/mlflow/mlflow/commit/cfa71879a884cc3520e23ccab998c9aa78fdf2b1

huntr.com/bounties/bfa116d3-2af8-4c4a-ac34-ccde7491ae11

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:47014