CVE-2024-27134: MLflow's excessive directory permissions allow local privilege escalation

November 25, 2024

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

References

github.com/advisories/GHSA-qpgc-w4mg-6v92
github.com/mlflow/mlflow
github.com/mlflow/mlflow/commit/0b1d995d66a678153e01ed3040f3f4dfc16a0d6b
github.com/mlflow/mlflow/pull/10874
nvd.nist.gov/vuln/detail/CVE-2024-27134

Detect and mitigate CVE-2024-27134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →