BIT-mlflow-2024-37056

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2024-37056.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-mlflow-2024-37056

Aliases

CGA-5rg5-hmwm-f62r
CVE-2024-37056
GHSA-7p8j-qv6x-f4g4

Published

2024-06-08T07:26:02.015Z

Modified

2025-04-03T14:40:37.652Z

Summary

[none]

Details

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:python:*:*"
    ]
}

References

https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
https://nvd.nist.gov/vuln/detail/CVE-2024-37056

Affected packages

Bitnami / mlflow

Package

Name: mlflow
Purl: pkg:bitnami/mlflow

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.23.0

Fixed

2.13.2