How severe is CVE-2024-3099?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.4 out of 10.

What type of vulnerability is CVE-2024-3099?

This is classified as CWE-475, which is a common weakness in software security.

CVE-2024-3099 - MEDIUM Severity | CVSS 5.4

Vulnerability Description

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.

Related Vulnerabilities

CVE-2023-52533

MEDIUM

CVSS:5.3(Medium)

In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed

CWE-4752023

CVE-2023-4875

MEDIUM

CVSS:5.7(Medium)

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12

CWE-4752023

CVE-2023-2253

MEDIUM

CVSS:6.5(Medium)

A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows...

CWE-4752023

CVE-2023-4874

MEDIUM

CVSS:6.5(Medium)

Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12

CWE-4752023

CVE-2024-7046

MEDIUM

CVSS:4.3(Medium)

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing th...

CWE-4752024

CVE-2024-12390

HIGH

CVSS:8.8(High)

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Pyt...

CWE-4752024