// For flags

CVE-2024-4263

Improper Access Control in mlflow/mlflow

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

Existe una vulnerabilidad de control de acceso roto en las versiones mlflow/mlflow anteriores a la 2.10.1, donde los usuarios con privilegios bajos y con solo permisos EDITAR en un experimento pueden eliminar cualquier artefacto. Este problema surge debido a la falta de una validación adecuada para las solicitudes DELETE realizadas por usuarios con permisos EDIT, lo que les permite realizar eliminaciones no autorizadas de artefactos. La vulnerabilidad afecta específicamente el manejo de eliminaciones de artefactos dentro de la aplicación, como lo demuestra la capacidad de un usuario con privilegios bajos de eliminar un directorio dentro de un artefacto mediante una solicitud DELETE, a pesar de que la documentación oficial indica que los usuarios con permiso EDITAR solo pueden leer y actualizar. artefactos, no eliminarlos.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-04-26 CVE Reserved
  • 2024-05-16 CVE Published
  • 2024-08-01 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Lfprojects
Search vendor "Lfprojects"
 Mlflow
Search vendor "Lfprojects" for product "Mlflow"
*-
Affected