Lucene search

Veracode Vulnerability DatabaseVERACODE:47455

HistoryJun 11, 2024 - 5:48 a.m.

Undefined Behavior

2024-06-1105:48:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mlflow

vulnerability

model name validation

dos

data model poisoning

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

mlflow is vulnerable to Undefined Behavior. The vulnerability is due to inadequate validation of model names, which allows an attacker to create multiple models with the same name, leading to potential Denial of Service (DoS) and data model poisoning.

CPENameOperatorVersion
mlflowle2.11.2
mlflowle2.11.2

CPE	Name	Operator	Version
	mlflow	le	2.11.2
	mlflow	le	2.11.2

References

github.com/advisories/GHSA-8f8q-q2j7-7j2m

github.com/mlflow/mlflow/commit/fee3067c0251fc9091b9a017bc18dfd3c3b720b8

huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47455