Vulnerabilities > CVE-2024-6838 - Unspecified vulnerability in Lfprojects Mlflow 2.13.2

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

LOW

network

low complexity

lfprojects

NVD

Published: 2025-03-20

Updated: 2025-04-01

Summary

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the `artifact_location` parameter while creating the experiment.

Vulnerable Configurations

Part	Description	Count
Application	Lfprojects Lfprojects Mlflow 2.13.2	1

References

https://huntr.com/bounties/8ad52cb2-2cda-4eb0-aec9-586060ee43e0
https://huntr.com/bounties/8ad52cb2-2cda-4eb0-aec9-586060ee43e0