MLFlow has emerged because the most-vulnerable open supply machine studying framework with 4 extremely important (CVSS 10) vulnerabilities reported inside 50 days, in line with a Defend AI report.
Defend AI’s AI/ML bug bounty program, hunter AI, found these vulnerabilities throughout the MLFlow platform, which might enable Distant Code Execution (RCE), Arbitrary File Overwrite, and Native File Embody. This might probably result in system takeover, delicate info loss, denial of service, and destruction of knowledge, in line with Defend AI.
“The report consists of 4 important flaws present in MLflow, the favored open-source platform utilized by practitioners to handle varied phases of a machine studying venture, together with experimentation, reproducibility, deployment, and a central mannequin registry,” Defend AI mentioned.
With lesser sought alternate options like Amazon Sagemaker, Neptune, Comet, and KuberFlow, MLFlow is a broadly widespread machine studying lifecycle platform with greater than 10 million month-to-month downloads and a wealthy person group together with Fb, Databricks, Microsoft, Accenture, and Reserving.com.
hunter AI traced RCE heavy vulnerabilities
Tracked as CVE-2024-0520, the newest vulnerability revealed by hunter AI is a path traversal flaw within the code used to drag down distant knowledge storage. The flaw can be utilized for a distant code execution (RCE) assault by fooling a person into utilizing a malicious distant knowledge supply that may execute instructions on the person’s behalf.
The affected code is native to the MLFlow.knowledge module listed throughout the PyPi registry, which is used to assist preserve a file of mannequin coaching and analysis datasets. The bug, which was fastened within the newest launch of MLFLow, has had no identified lively exploitations.
