CVE-2024-27134 — HIGH (CVSS 7.0) AI Security Vulnerability

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 2.16.0	`2.16.0`
mlflow	pip	—	No patch

Severity & Risk

CVSS 3.1

7.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

Patch available

Update mlflow to version 2.16.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Weaknesses (CWE)

CWE-276 Incorrect Default Permissions Primary CWE-276 CWE-367

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

November 25, 2024

Last Modified

February 3, 2025

First Seen

November 25, 2024