-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathCVE-2024-0520.yaml
37 lines (34 loc) · 1.19 KB
/
CVE-2024-0520.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
id: CVE-2024-0520
info:
name: Command Injection in mlflow.data.http_dataset_source
author: ProjectDiscoveryAI
severity: high
description: A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module.
impact: |
Successful exploitation could allow an attacker to execute arbitrary commands on the target system.
remediation: |
Ensure input validation and proper sanitization of user-supplied data to prevent command injection attacks.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-0520
cwe-id: CWE-23,CWE-22
epss-score: 0.00089
epss-percentile: 0.39357
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
metadata:
vendor: lfprojects
product: mlflow
shodan-query: http.title:"mlflow"
fofa-query: app="MLflow"
google-query: intitle:"mlflow"
http:
- method: GET
path:
- "{{BaseURL}}/"
matchers:
- type: word
words:
- "/tmp/poc.txt"
part: header
condition: and