Medium

mlflow

Denial of Service via Large Integer Experiment Names

A vulnerability in MLflow v2.13.2 allows the creation or renaming of experiments with an excessively large number of integers in their names, causing the UI to become unresponsive. This issue has not yet been patched.

Available publicly on Sep 16 2024

5.3

CVE:

CVE-2024-6838

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Credit:

mnqazi
AssessDetect

Premium

Remediate
Remediation Steps
  • Implement a character limit on the experiment name field.
  • Implement a character limit on the artifact_location parameter.
  • Validate input lengths on the server side to prevent excessively long names.
  • Update the MLflow documentation to specify the new limits.
  • Test the UI to ensure it handles edge cases gracefully.
  • Release a patched version of MLflow addressing these issues.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.