CVE-2024-37060 - OpenCVE

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://hiddenlayer.com/sai-security-advisory/mlflow-june2024

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HiddenLayer

Published: 2024-06-04T12:02:12.858Z

Updated: 2024-06-04T19:51:29.918Z

Reserved: 2024-05-31T14:16:48.808Z

Link: CVE-2024-37060

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-06-04T12:15:12.463

Modified: 2024-06-04T16:57:41.053

Link: CVE-2024-37060

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37060", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "state": "PUBLISHED", "assignerShortName": "HiddenLayer", "dateReserved": "2024-05-31T14:16:48.808Z", "datePublished": "2024-06-04T12:02:12.858Z", "dateUpdated": "2024-06-04T19:51:29.918Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "mlflow", "product": "MLflow", "repo": "https://github.com/mlflow/mlflow", "vendor": "MLflow", "versions": [{"lessThanOrEqual": "*", "status": "affected", "version": "1.27.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user\u2019s system when run.</span><br>"}], "value": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user\u2019s system when run."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2024-06-04T12:02:12.858Z"}, "references": [{"url": "https://hiddenlayer.com/sai-security-advisory/mlflow-june2024"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "mlflow", "product": "mlflow", "cpes": ["cpe:2.3:a:mlflow:mlflow:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.27.0", "status": "affected", "lessThanOrEqual": "*", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-04T14:54:08.816308Z", "id": "CVE-2024-37060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T19:51:29.918Z"}}]}}