Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-27134

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Published

2024-11-25T14:15:06.867

Last Modified

2025-02-03T15:05:50.187

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

Weaknesses

Type: Primary
CWE-276
CWE-367

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lfprojects	mlflow	< 2.16.0	Yes

References

https://github.com/mlflow/mlflow/pull/10874 Issue Tracking, Patch ([email protected])