{"data":{"id":"98b53415-cd9f-4390-be49-adc5f57ee23c","title":"CVE-2024-0520: A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of specia","summary":"MLflow version 8.2.1 has a command injection vulnerability (a flaw where attackers can execute arbitrary commands by inserting malicious code into a system command) in its HTTP dataset loading function. When loading datasets, the software doesn't properly clean up filenames from URLs, allowing attackers to write files anywhere on the system and potentially run harmful commands.","solution":"The issue is fixed in version 2.9.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-0520","publishedAt":"2024-06-06T23:15:51.187Z","cveId":"CVE-2024-0520","cweIds":["CWE-22","CWE-22"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.04782,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"training_data","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}