CVE-2024-37057

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Jun 4, 2024

CWE ID 502

Summary

CVE-2024-37057 is a deserialization vulnerability affecting MLflow platform versions 2.0.0rc0 and later. Maliciously crafted Tensorflow models can be uploaded and executed arbitrarily on an end user's system upon interaction, leading to potential code injection and security breaches. This vulnerability poses a serious risk to users and necessitates immediate patching or mitigation measures. It is strongly recommended to avoid using MLflow platforms with these vulnerable versions until a fix is available.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

MLFlow

Affected Vendors

MLflow

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/wNZYqz
https://www.cve.org/CVERecord?id=CVE-2024-37057
https://nvd.nist.gov/vuln/detail/CVE-2024-37057

Back to Vulnerability Database