Executive Summary

Informations
Name CVE-2024-3099 First vendor Publication 2024-06-06
Vendor Cve Last vendor Modification 2024-10-11

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Overall CVSS Score 5.4
Base Score 5.4 Environmental Score 5.4
impact SubScore 2.5 Temporal Score 5.4
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact Low Availability Impact Low
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3099

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2024-10-11 21:27:41
  • Multiple Updates
2024-06-07 21:27:24
  • Multiple Updates
2024-06-07 00:27:26
  • First insertion