PT-2024-27277 · Mlflow · Mlflow

Published

2024-06-04

Updated

2024-06-08

CVE-2024-37061

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MLflow platform versions 1.11.0 and newer

Description Remote Code Execution can occur in the MLflow platform, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run, due to unfiltered input.

Recommendations For versions 1.11.0 and newer, consider disabling the execution of MLprojects until a patch is available to prevent Remote Code Execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-94

Related Identifiers

BIT-MLFLOW-2024-37061

CVE-2024-37061

GHSA-PQCV-QW2R-R859

Affected Products

Mlflow

PT-2024-27277 · Mlflow · Mlflow

CVE-2024-37061

Weakness Enumeration

Related Identifiers

Affected Products

References · 7