{"data":{"id":"006b9355-88af-4546-bd4f-dde97d06df86","title":"CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling ","summary":"CVE-2024-37052 is a vulnerability in MLflow (a machine learning platform) version 1.1.0 and newer where deserialization of untrusted data (converting data from an external format back into code without checking if it's safe) allows a malicious scikit-learn model (a machine learning library) to execute arbitrary code on a user's system when the model is loaded and used. This means an attacker could upload a harmful model that runs malicious commands when someone interacts with it.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-37052","publishedAt":"2024-06-04T16:15:10.413Z","cveId":"CVE-2024-37052","cweIds":["CWE-502","CWE-502"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0042,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}