Veracode Vulnerability DatabaseVERACODE:47562Deserialization Of Untrusted Data
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling of untrusted data in the _load_model_from_local_file function within the sklearn/__init__.py. The vulnerability allows an attacker to inject a malicious pickle object into a model file on upload, which is then deserialized when the model is loaded, resulting in arbitrary code execution within the victims machine.
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%