{"data":{"id":"d3de6226-c87f-45fc-aba8-ee2a8ef0a676","title":"CVE-2024-27134: Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be","summary":"MLflow has a vulnerability (CVE-2024-27134) where directories have overly permissive access settings, allowing a local attacker to gain elevated permissions through a ToCToU attack (a race condition where an attacker exploits the gap between when a program checks permissions and when it uses a resource). This only affects code using the spark_udf() MLflow API.","solution":"A patch is available at https://github.com/mlflow/mlflow/pull/10874, though the source does not specify which MLflow version contains the fix.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-27134","publishedAt":"2024-11-25T19:15:06.867Z","cveId":"CVE-2024-27134","cweIds":["CWE-276","CWE-367"],"cvssScore":"7","cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00022,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-27"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}