Miggo Logo
Miggo Vulnerability Database
CVE-2024-37060

CVE-2024-37060: MLFlow unsafe deserialization

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-37060
GHSA ID
GHSA-cv6c-7963-wxcg
EPSS Score
0.52046%
CWE
CWE-502
Published
6/4/2024
Updated
6/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mlflowpip>= 1.27.0, <= 2.14.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2024-37060 specifically references unsafe deserialization in the BaseCard.load method within recipes/cards/init.py. The code snippet shows direct use of pickle.load() on user-controlled file paths, with no validation or safe deserialization mechanisms. This matches the CWE-502 pattern and the advisory's description of Recipe-based exploitation. Other CVEs in the advisory relate to different components (sklearn, pyfunc, etc.), but this entry specifically implicates the BaseCard.load method as the vulnerable entry point for this particular CVE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ri*liz*tion o* untrust** **t* **n o**ur in v*rsions o* t** ML*low pl*t*orm runnin* v*rsion *.**.* or n*w*r, *n**lin* * m*li*iously *r**t** R**ip* to *x**ut* *r*itr*ry *o** on *n *n* us*r’s syst*m w**n run.

Reasoning

T** vuln*r**ility *V*-****-***** sp**i*i**lly r***r*n**s uns*** **s*ri*liz*tion in t** **s***r*.lo** m*t*o* wit*in r**ip*s/**r*s/__init__.py. T** *o** snipp*t s*ows *ir**t us* o* pi*kl*.lo**() on us*r-*ontroll** *il* p*t*s, wit* no v*li**tion or s***