CVE-2024-37053

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Jun 4, 2024

CWE ID 502

Summary

CVE-2024-37053 is a deserialization vulnerability affecting versions 1.1.0 and newer of the MLflow platform. Maliciously crafted scikit-learn models, when uploaded to MLflow, can cause untrusted data to be deserialized, resulting in arbitrary code execution on the end user's system. This vulnerability poses a significant risk, as it allows attackers to run malicious code on systems interacting with the affected MLflow instances. Users are advised to upgrade to a patched version of MLflow as soon as possible to mitigate this threat.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

MLFlow

Affected Vendors

MLflow

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/wNZcjp
https://www.cve.org/CVERecord?id=CVE-2024-37053
https://nvd.nist.gov/vuln/detail/CVE-2024-37053

Back to Vulnerability Database