Untriaged
Permalink
CVE-2024-27134
7.0 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
References
Affected products
mlflow
- <2.16.0
Matching in nixpkgs
pkgs.mlflow-server
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python312Packages.mlflow
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python313Packages.mlflow
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python312Packages.sagemaker-mlflow
MLFlow plugin for SageMaker
-
nixos-unstable -
- nixpkgs-unstable 0.1.1
pkgs.python313Packages.sagemaker-mlflow
MLFlow plugin for SageMaker
-
nixos-unstable -
- nixpkgs-unstable 0.1.1
Package maintainers
-
@tbenst Tyler Benster <nix@tylerbenster.com>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>