Veracode Vulnerability DatabaseVERACODE:47564Deserialization Of Untrusted Data
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.0%
mlflow is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization in the function _load_model_from_local_file within sklearn/init.py. An attacker can inject a malicious pickle object into a model file on upload, which will be deserialized resulting in malicious code execution on the victims machine.
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.0%