HIGH 7.0

PYSEC-2024-224

Details

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 0 Fixed in: 2.16.0

Fix pip install --upgrade 'mlflow>=2.16.0'

References

https://github.com/mlflow/mlflow/pull/10874 [REPORT]