Home > Vulnerability Database > CVE-2024-3099

Mend.io Vulnerability Database

CVE-2024-3099

Good to know:

Date: June 6, 2024

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.

Language: Python

Severity Score

5.4

Related Resources (4)

Url: https://github.com/mlflow/mlflow

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3099

Url: https://huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a

Url: https://www.mend.io/vulnerability-database/CVE-2024-3099

Severity Score

5.4

Weakness Type (CWE)

Undefined Behavior for Input to API

CWE-475

Top Fix

Upgrade Version

Upgrade to version mlflow - 2.11.3

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3099

Good to know:

Date: June 6, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?