BIT-mlflow-2024-37060

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2024-37060.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-mlflow-2024-37060

Aliases

CGA-cpj6-2jgp-w82g
CVE-2024-37060
GHSA-cv6c-7963-wxcg

Published

2024-06-08T07:24:57.709Z

Modified

2025-04-03T14:40:37.652Z

Summary

[none]

Details

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Database specific

{
    "cpes": [
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:python:*:*"
    ],
    "severity": "High"
}

References

https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
https://nvd.nist.gov/vuln/detail/CVE-2024-37060

Affected packages

Bitnami / mlflow

Package

Name: mlflow
Purl: pkg:bitnami/mlflow

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.27.0

Fixed

2.13.2