CVE-2024-27134: 
NixOS vulnerability analysis and mitigation

CVE-2024-27134 is a local privilege escalation vulnerability discovered in MLflow when using the sparkudf functionality. The vulnerability was disclosed on November 25, 2024, and affects MLflow versions up to (excluding) 2.16.0. The issue stems from excessive directory permissions that can be exploited by a local attacker using a Time-of-check Time-of-use (ToCToU) attack when the sparkudf() MLflow API is called (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.0 HIGH with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is associated with two CWE categories: CWE-367 (Time-of-check Time-of-use Race Condition) and CWE-276 (Incorrect Default Permissions). The issue specifically manifests when using the spark_udf() MLflow API, where improper directory permissions can be exploited through a ToCToU attack (NVD).

The vulnerability allows a local attacker to gain elevated permissions within the system. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the system when successfully exploited (NVD).

A fix for this vulnerability has been implemented through a pull request (#10874) to address the privilege escalation issue. Users are advised to upgrade to MLflow version 2.16.0 or later which contains the security fix (GitHub PR).