{"data":{"id":"275e8583-c55d-4637-901a-98027472da00","title":"CVE-2024-37056: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling","summary":"CVE-2024-37056 is a vulnerability in MLflow (a machine learning platform) version 1.23.0 and newer that allows deserialization of untrusted data (loading and executing code from data that hasn't been verified as safe). An attacker can upload a malicious LightGBM or scikit-learn model (machine learning libraries) that runs arbitrary code (any commands the attacker chooses) on a user's computer when the model is opened.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-37056","publishedAt":"2024-06-04T16:15:11.593Z","cveId":"CVE-2024-37056","cweIds":["CWE-502","CWE-502"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow","LightGBM","scikit-learn"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00522,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}