में ठीक किया गया
2.9.3
2.10.0
CVE-2024-27132 describes a critical cross-site scripting (XSS) vulnerability discovered in MLflow, a platform for managing the machine learning lifecycle. This flaw arises from insufficient sanitization of template variables when executing untrusted recipes, potentially leading to remote code execution (RCE) within a Jupyter Notebook environment. The vulnerability affects MLflow versions 2.9.2 and earlier, with a fix available in version 2.10.0.
The core impact of CVE-2024-27132 lies in the ability of an attacker to inject malicious JavaScript code into a recipe executed within MLflow. Because recipes are often run within Jupyter Notebooks, this injected code can execute with the privileges of the user running the notebook. Successful exploitation could allow an attacker to steal sensitive data, such as API keys, database credentials, or model artifacts. More severely, it could enable the attacker to execute arbitrary commands on the underlying system, leading to complete system compromise. The RCE aspect significantly elevates the risk, moving beyond simple information disclosure to full system control. This vulnerability shares similarities with other XSS vulnerabilities that have been exploited to achieve code execution in similar environments.
CVE-2024-27132 was publicly disclosed on February 23, 2024. The vulnerability's severity is rated as CRITICAL (CVSS 9.6). Currently, no public proof-of-concept (PoC) exploits have been widely reported, but the potential for RCE makes it a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. Active exploitation is not yet confirmed, but the ease of exploitation once a PoC is available warrants immediate attention.
Organizations heavily reliant on MLflow for machine learning model management and deployment are at significant risk. Specifically, teams using MLflow within Jupyter Notebook environments, particularly those dealing with sensitive data or running recipes from external sources, should prioritize remediation. Shared hosting environments where multiple users execute MLflow recipes are also at increased risk.
• python / mlflow:
import mlflow
# Check MLflow version
print(mlflow.__version__)
# Monitor Jupyter Notebook logs for unusual JavaScript execution• generic web:
curl -I <mlflow_endpoint> | grep -i 'x-content-type-options'• generic web:
curl -I <mlflow_endpoint> | grep -i 'content-security-policy'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.24% (47% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-27132 is to upgrade MLflow to version 2.10.0 or later, which includes the necessary sanitization fixes. If immediate upgrading is not possible, restrict the execution of untrusted recipes to isolated environments with limited privileges. Consider implementing a Web Application Firewall (WAF) with rules to detect and block malicious JavaScript payloads targeting MLflow endpoints. Carefully review and validate all recipes before execution, particularly those sourced from external or untrusted origins. There are no specific Sigma or YARA rules readily available, but monitoring for unusual JavaScript execution within Jupyter Notebooks is recommended.
MLflow को 2.9.2 से बाद के संस्करण में अपडेट करें। यह अविश्वसनीय रेसिपी चलाते समय टेम्पलेट चर में सैनिटाइजेशन की कमी के कारण होने वाले XSS भेद्यता को ठीक कर देगा। अपडेट को pip पैकेज मैनेजर का उपयोग करके किया जा सकता है: `pip install --upgrade mlflow`।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-27132 is a critical XSS vulnerability in MLflow versions up to 2.9.2. It allows attackers to inject malicious code when running untrusted recipes, potentially leading to remote code execution.
You are affected if you are using MLflow version 2.9.2 or earlier. Upgrade to version 2.10.0 or later to resolve the vulnerability.
The recommended fix is to upgrade MLflow to version 2.10.0 or later. If upgrading is not immediately possible, restrict execution of untrusted recipes and consider WAF rules.
While no widespread exploitation has been confirmed, the potential for RCE makes it a high-priority vulnerability and a likely target for attackers.
Refer to the MLflow security advisory for detailed information and updates: [https://mlflow.org/docs/security](https://mlflow.org/docs/security)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।