======================================================================

                                  CERT-Renater

                       Note d'Information No. 2024/VULN508
_____________________________________________________________________

DATE                : 29/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running mlflow versions prior to 2.16.0.

=====================================================================
https://github.com/advisories/GHSA-qpgc-w4mg-6v92
https://nvd.nist.gov/vuln/detail/CVE-2024-27134
https://github.com/mlflow/mlflow/pull/10874
https://github.com/mlflow/mlflow/commit/0b1d995d66a678153e01ed3040f3f4dfc16a0d6b
_____________________________________________________________________

MLflow's excessive directory permissions allow local privilege
escalation
High severity GitHub Reviewed Published Nov 25, 2024 to the GitHub
Advisory Database • Updated Nov 25, 2024

Vulnerability details

Package
mlflow (pip)

Affected versions
< 2.16.0

Patched versions
2.16.0


Description

Excessive directory permissions in MLflow leads to local privilege
escalation when using spark_udf. This behavior can be exploited
by a local attacker to gain elevated permissions by using a ToCToU
attack. The issue is only relevant when the spark_udf() MLflow
API is called.


References

     https://nvd.nist.gov/vuln/detail/CVE-2024-27134
     mlflow/mlflow#10874
     mlflow/mlflow@0b1d995

Published by the National Vulnerability Database Nov 25, 2024
Published to the GitHub Advisory Database Nov 25, 2024
Reviewed Nov 25, 2024
Last updated Nov 25, 2024


Severity
High

7.3/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Passive

Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High

Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS score
0.043% (10th percentile)

Weaknesses
CWE-276

CVE ID
CVE-2024-27134

GHSA ID
GHSA-qpgc-w4mg-6v92

Source code
mlflow/mlflow



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================