Miggo Logo
Miggo Vulnerability Database
CVE-2024-27134

CVE-2024-27134: MLflow's excessive directory permissions allow local privilege escalation

7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27134
GHSA ID
GHSA-qpgc-w4mg-6v92
EPSS Score
0.01941%
CWE
CWE-276
Published
11/25/2024
Updated
11/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mlflowpip< 2.16.02.16.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the directory permission change in _create_model_downloading_tmp_dir() shown in the commit diff. The original 0o777 permissions allowed any local user to modify the temporary model directory. When combined with Spark UDF execution timing, this created a race condition window for privilege escalation. The patch explicitly reduces permissions to 0o770 to mitigate this. The function's direct involvement in Spark UDF workflows and the security-focused nature of the permission change confirm its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*x**ssiv* *ir**tory p*rmissions in ML*low l***s to lo**l privil*** *s**l*tion w**n usin* sp*rk_u**. T*is ****vior **n ** *xploit** *y * lo**l *tt**k*r to **in *l*v*t** p*rmissions *y usin* * To*ToU *tt**k. T** issu* is only r*l*v*nt w**n t** sp*rk_u*

Reasoning

T** vuln*r**ility st*ms *rom t** *ir**tory p*rmission ***n** in _*r**t*_mo**l_*ownlo**in*_tmp_*ir() s*own in t** *ommit *i**. T** ori*in*l *o*** p*rmissions *llow** *ny lo**l us*r to mo*i*y t** t*mpor*ry mo**l *ir**tory. W**n *om*in** wit* Sp*rk U**