CVE-2024-3099

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 19:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-3099

Mitre link : CVE-2024-3099

CVE.ORG link : CVE-2024-3099

JSON object : View

Products Affected

No product.

CWE

CWE-475

Undefined Behavior for Input to API

{"id": "CVE-2024-3099", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2024-06-06T19:15:59.393", "references": [{"url": "https://huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-475"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts."}, {"lang": "es", "value": "Una vulnerabilidad en mlflow/mlflow versi\u00f3n 2.11.1 permite a los atacantes crear m\u00faltiples modelos con el mismo nombre explotando la codificaci\u00f3n URL. Esta falla puede provocar una denegaci\u00f3n de servicio (DoS), ya que es posible que un usuario autenticado no pueda utilizar el modelo deseado, ya que abrir\u00e1 un modelo diferente cada vez. Adem\u00e1s, un atacante puede aprovechar esta vulnerabilidad para envenenar el modelo de datos creando un modelo con el mismo nombre, lo que podr\u00eda provocar que un usuario autenticado se convierta en v\u00edctima al utilizar el modelo envenenado. El problema surge de una validaci\u00f3n inadecuada de los nombres de los modelos, lo que permite la creaci\u00f3n de modelos con nombres codificados en URL que se tratan como distintos de sus hom\u00f3logos decodificados en URL."}], "lastModified": "2024-06-07T14:56:05.647", "sourceIdentifier": "security@huntr.dev"}