CVE-2024-27134

CVSS 3.1 Score 7 of 10 (high)

Details

Published Nov 25, 2024
CWE ID 276
CWE ID 367

Summary

CVE-2024-27134 is a vulnerability in MLflow that arises from excessive directory permissions. When the spark_udf() MLflow API is utilized, a local attacker can exploit this issue through a Time of Check to Time of Use (ToCToU) attack, resulting in privilege escalation and elevated system access. The vulnerability is significant because it enables unauthorized users to gain unnecessary privileges, potentially leading to severe security consequences. The issue only affects systems where the MLflow API with spark_udf() is employed.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share