Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-qpgc-w4mg-6v92

Опубликовано: 25 нояб. 2024
Источник: github
Github: Прошло ревью
CVSS4: 7.3
CVSS3: 7

Описание

MLflow's excessive directory permissions allow local privilege escalation

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Ссылки

Пакеты

Наименование

mlflow

pip
Затронутые версииВерсия исправления

< 2.16.0

2.16.0

EPSS

Процентиль: 8%
0.00029
Низкий

7.3 High

CVSS4

7 High

CVSS3

CVE ID

CVE-2024-27134

Дефекты

CWE-276

Связанные уязвимости

nvd логотип

CVE-2024-27134

CVSS3: 7
nvd
около 1 года назад

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

EPSS

Процентиль: 8%
0.00029
Низкий

7.3 High

CVSS4

7 High

CVSS3

CVE ID

CVE-2024-27134

Дефекты

CWE-276