CVE-2024-4263

Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions before 2.10.1

Description A broken access control issue exists, allowing low privilege users with only EDIT permissions on an experiment to delete any artifacts. This occurs due to the lack of proper validation for DELETE requests by users with EDIT permissions, enabling them to perform unauthorized deletions of artifacts. The issue specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

Recommendations For mlflow/mlflow versions before 2.10.1, update to version 2.10.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of DELETE requests for users with EDIT permissions to minimize the risk of exploitation. Restrict access to the artifact deletion functionality to prevent unauthorized deletions.