BIT-mlflow-2024-37052

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2024-37052.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-mlflow-2024-37052

Aliases

CGA-3f38-vqc4-r77r
CVE-2024-37052
GHSA-76cg-cfhx-373f

Published

2024-06-08T07:27:12.212Z

Modified

2025-04-03T14:40:37.652Z

Summary

[none]

Details

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:python:*:*"
    ]
}

References

https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
https://nvd.nist.gov/vuln/detail/CVE-2024-37052

Affected packages

Bitnami / mlflow

Package

Name: mlflow
Purl: pkg:bitnami/mlflow

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.1.0

Fixed

2.13.2