Medium

mlflow

Improper Access Control in Artifact Deletion

A broken access control vulnerability in mlflow/mlflow version 2.11.0 allows low privilege users with only EDIT permissions to delete artifacts. This issue was patched in version 2.10.1.

Available publicly on Apr 26 2024

5.4

CVE:

CVE-2024-4263

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Credit:

rook1337
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to mlflow/mlflow version 2.10.1 or later.
  • Review and adjust permission settings for all users, ensuring that only trusted users have EDIT permissions on sensitive experiments.
  • Implement additional monitoring and logging to detect unauthorized access or modifications to artifacts.
  • Consider using network or application-level controls to restrict DELETE requests based on user roles and permissions.
Patch Details
  • Fixed Version: 2.10.1
  • Patch Commit: https://github.com/mlflow/mlflow/commit/b43e0e3de5b500554e13dc032ba2083b2d6c94b8
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.