Four maximum severity issues reported in MLFlow
Take action: If you are using MLFlow, update to latest version since it's quite vulnerable. Public PoC are already available, so hackers will find a way to abuse them.
Learn More
A Protect AI research report has identified MLFlow as the most vulnerable open-source machine learning framework, recording four maximum severity vulnerabilities (each with a CVSS score of 10) within a span of 50 days.
MLFlow is a popular platform for managing different stages of machine learning projects and is widely used due to a robust user community, including major organizations like Facebook, Databricks, Microsoft, Accenture, and Booking.com.
The vulnerabilities were discovered by the AI/ML bug bounty program hunter AI, potentially leading to system takeover, loss of sensitive information, denial of service, and data destruction:
- CVE-2024-0520 (CVSS score 10) MLflow Arbitrary File Overwrite via Malicious Source URL
- CVE-2023-6831 (CVSS score 10) MLFlow Arbitrary File Delete
- CVE-2023-6977 (CVSS score 10) MLFlow Local File Include via Path Validation Bypass
- CVE-2023-6709 (CVSS score 10) MLflow Remote Code Execution through jinja2 SSTI
For all vulnerabilities the remediation steps is to update MLFlow to the latest version.
