CVE-2024-4263
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2024-4263. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.0EPSS Score
v2025.03.14There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.
Attack Vector Metrics
Impact Metrics
Description
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.
Available Exploits
Related News
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
MLflow allows low privilege users to delete any artifact
GHSA-p4jx-q62p-x5jrAdvisory Details
Affected Packages
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
References
Advisory provided by GitHub Security Advisory Database. Published: May 16, 2024, Modified: May 16, 2024