PyPI: mlflow
CVE-2024-27132
Safety vulnerability ID: SFTY-20240223-25505
Safety legacy ID: pyup.io-68487
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
Overview
Cross-site Scripting in MLFlow
Advisory
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240223-25505/CVE-2024-27132
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27132
- https://github.com/advisories/GHSA-6749-m5cp-6cg7
- https://nvd.nist.gov/vuln/detail/CVE-2024-27132
- https://github.com/mlflow/mlflow/pull/10873
- https://research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-240.yaml
- https://github.com/advisories/GHSA-6749-m5cp-6cg7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more