CVE-2024-27132

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 2.4.1

Description The issue stems from insufficient sanitization in MLflow, leading to cross-site scripting (XSS) when running an untrusted recipe. This can be escalated to a client-side remote code execution (RCE) when running the recipe via Jupyter Notebook. The vulnerability is due to a lack of sanitization over template variables.

Recommendations To protect against remote code execution, update to version 2.4.1. As a temporary workaround, consider restricting the use of untrusted recipes in Jupyter Notebook until the issue is resolved. Avoid running untrusted recipes to minimize the risk of exploitation.