CVE-2024-27134
published 2024-11-25CVE-2024-27134: Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain…
PriorityP433high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EPSS
0.12%
2.2th percentile
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 2.16.0 | 2.16.0 |
| lfprojects | mlflow | >= 0 < 2.16.0 | 2.16.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MLflow's excessive directory permissions allow local privilege escalation
osv·2024-11-25
CVE-2024-27134 [HIGH] MLflow's excessive directory permissions allow local privilege escalation
MLflow's excessive directory permissions allow local privilege escalation
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
GHSA
MLflow's excessive directory permissions allow local privilege escalation
ghsa·2024-11-25
CVE-2024-27134 [HIGH] CWE-276 MLflow's excessive directory permissions allow local privilege escalation
MLflow's excessive directory permissions allow local privilege escalation
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
OSV
CVE-2024-27134: Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf
osv·2024-11-25
CVE-2024-27134 CVE-2024-27134: Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-25
Published