{"data":{"id":"2f19f616-ad0c-48c1-af43-bedf56f3471e","title":"CVE-2024-3099: A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploit","summary":"MLflow version 2.11.1 has a vulnerability where attackers can create multiple models with the same name by using URL encoding (a technique that converts special characters into a format safe for web addresses). This allows attackers to cause denial of service (making a service unavailable) or data poisoning (inserting corrupted or malicious data), where an authenticated user might accidentally use a fake model instead of the real one because the system treats URL-encoded and regular names as different.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-3099","publishedAt":"2024-06-06T23:15:59.393Z","cveId":"CVE-2024-3099","cweIds":["CWE-475"],"cvssScore":"5.4","cvssSeverity":"medium","severity":"medium","attackType":["model_poisoning","denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00063,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}