CVE-2024-27133
published 2024-02-23CVE-2024-27133: Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the…
PriorityP342critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.65%
46.5th percentile
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 2.9.2 | — |
| lfprojects | mlflow | >= 0 < 2.10.0 | 2.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
osv·2024-02-24
CVE-2024-27133 [CRITICAL] MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
GHSA
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
ghsa·2024-02-24
CVE-2024-27133 [CRITICAL] CWE-79 MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
OSV
CVE-2024-27133: Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset
osv·2024-02-23
CVE-2024-27133 CVE-2024-27133: Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-23
Published