A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.
History

Fri, 11 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:08:16.402Z

Updated: 2024-08-01T19:32:42.675Z

Reserved: 2024-03-29T17:47:14.222Z

Link: CVE-2024-3099

cve-icon Vulnrichment

Updated: 2024-08-01T19:32:42.675Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:15:59.393

Modified: 2024-11-21T09:28:53.953

Link: CVE-2024-3099

cve-icon Redhat

No data.