में ठीक किया गया
2.9.3
2.10.0
CVE-2024-27133 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in MLflow, a platform for managing the machine learning lifecycle. This flaw arises from insufficient sanitization of dataset table fields within MLflow recipes, leading to potential client-side Remote Code Execution (RCE) when recipes are executed in Jupyter Notebook using untrusted datasets. The vulnerability affects MLflow versions 2.9.2 and earlier; a fix is available in version 2.10.0.
The impact of CVE-2024-27133 is significant due to the potential for client-side RCE. An attacker could craft a malicious dataset that, when used in an MLflow recipe, injects arbitrary JavaScript code into the Jupyter Notebook environment. This code could then be executed by the user running the recipe, granting the attacker control over the user's session and potentially the underlying system. The attacker could steal credentials, install malware, or perform other malicious actions. The blast radius extends to any user running recipes with untrusted datasets in affected MLflow installations. This vulnerability shares similarities with other XSS attacks that leverage recipe execution environments to achieve code execution.
CVE-2024-27133 was publicly disclosed on February 23, 2024. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.6. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the high impact. It is not currently listed on the CISA KEV catalog, but its criticality warrants monitoring. Active exploitation campaigns are possible, particularly targeting organizations using MLflow in production environments.
Organizations heavily reliant on MLflow for machine learning workflows, particularly those using Jupyter Notebooks and incorporating external or untrusted datasets into their recipes, are at significant risk. Teams using shared MLflow instances or those with less stringent data governance practices are also more vulnerable.
• python / mlflow:
import mlflow
# Check MLflow version
print(mlflow.__version__)
# Check for suspicious recipe configurations or dataset sources
# Review Jupyter Notebook logs for unusual JavaScript execution• generic web: • Check for unusual JavaScript execution in Jupyter Notebook logs. • Monitor for suspicious network activity originating from Jupyter Notebook processes.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.20% (43% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-27133 is to upgrade MLflow to version 2.10.0 or later, which includes the necessary sanitization fixes. If upgrading immediately is not feasible, consider restricting the use of untrusted datasets within MLflow recipes. Implement strict input validation and sanitization on any data sources used by recipes. Monitor Jupyter Notebook activity for suspicious JavaScript execution. While a WAF is unlikely to directly address this vulnerability, it can help detect and block malicious payloads. After upgrading, confirm the fix by running a recipe with a known malicious dataset and verifying that the injected JavaScript is properly sanitized and does not execute.
MLflow को 2.9.2 से बाद के संस्करण में अपडेट करें। यह `pip install --upgrade mlflow` का उपयोग करके किया जा सकता है। सुनिश्चित करें कि अपडेट सफलतापूर्वक हो गया है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-27133 is a critical XSS vulnerability in MLflow versions up to 2.9.2. It allows attackers to inject malicious JavaScript code when running recipes with untrusted datasets, potentially leading to RCE in Jupyter Notebook.
You are affected if you are using MLflow version 2.9.2 or earlier and are running recipes with datasets from untrusted sources in a Jupyter Notebook environment.
Upgrade MLflow to version 2.10.0 or later to address the insufficient sanitization issue. If immediate upgrade is not possible, restrict the use of untrusted datasets in recipes.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation make it a likely target for attackers. Monitoring for suspicious activity is recommended.
Refer to the MLflow security advisory for detailed information and updates: [https://mlflow.org/docs/security](https://mlflow.org/docs/security)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।