{"data":{"id":"8e37dfcc-82b9-48be-86e0-961f12587789","title":"CVE-2024-37053: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling ","summary":"CVE-2024-37053 is a vulnerability in MLflow (a machine learning platform) version 1.1.0 and newer where deserialization of untrusted data (the process of converting saved data back into usable code without checking if it's safe) can occur. An attacker can upload a malicious scikit-learn model (a machine learning library) that runs arbitrary code (any commands the attacker chooses) on a user's computer when the model is loaded and used.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-37053","publishedAt":"2024-06-04T16:15:10.957Z","cveId":"CVE-2024-37053","cweIds":["CWE-502","CWE-502"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00519,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}