Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://github.com/mlflow/mlflow/pull/10874 |
History
Mon, 25 Nov 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lfprojects
Lfprojects mlflow |
|
CPEs | cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:* | |
Vendors & Products |
Lfprojects
Lfprojects mlflow |
|
Metrics |
ssvc
|
Mon, 25 Nov 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. | |
Title | Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf | |
Weaknesses | CWE-276 CWE-367 |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: JFROG
Published: 2024-11-25T13:48:05.117Z
Updated: 2024-11-25T14:23:59.324Z
Reserved: 2024-02-20T11:10:51.335Z
Link: CVE-2024-27134
Vulnrichment
Updated: 2024-11-25T14:23:53.801Z
NVD
Status : Received
Published: 2024-11-25T14:15:06.867
Modified: 2024-11-25T14:15:06.867
Link: CVE-2024-27134
Redhat
No data.