High severityNVD Advisory· Published Jun 4, 2024· Updated Aug 2, 2024
CVE-2024-37059
CVE-2024-37059
Description
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | >= 0.5.0, <= 3.4.0 | — |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-bitnamipkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-bitnamipkg:apk/wolfi/mlflow-iamguarded-compatpkg:bitnami/mlflowpkg:pypi/mlflow
< 2.13.2-r0+ 7 more
- (no CPE)range: < 2.13.2-r0
- (no CPE)range: < 2.13.2-r0
- (no CPE)range: < 3.5.1-r1
- (no CPE)range: < 2.13.2-r0
- (no CPE)range: < 2.13.2-r0
- (no CPE)range: < 3.5.1-r1
- (no CPE)range: >= 0.5.0, < 2.13.2
- (no CPE)range: >= 0.5.0, <= 3.4.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.