CVE-2024-37058

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Jun 4, 2024

CWE ID 502

Summary

CVE-2024-37058 is a deserialization vulnerability affecting versions 2.5.0 and above of the MLflow platform. This issue allows a maliciously uploaded Langchain AgentExecutor model to execute arbitrary code on vulnerable systems when interacted with. An attacker can take advantage of this vulnerability by supplying untrusted data to the vulnerable system, leading to code execution and potential security breaches. MLflow users are strongly advised to update their platforms to the latest, secure version to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

MLFlow

Affected Vendors

MLflow

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/wNZYq1
https://www.cve.org/CVERecord?id=CVE-2024-37058
https://nvd.nist.gov/vuln/detail/CVE-2024-37058

Back to Vulnerability Database