CVE-2025-1474

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17	Patch
https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*

History

27 Mar 2025, 15:36

Type	Values Removed	Values Added
First Time		Lfprojects mlflow Lfprojects
CVSS	v2 : ~~unknown~~ v3 : ~~3.8~~	v2 : unknown v3 : 5.5
Summary		(es) En la versión 2.18 de mlflow/mlflow, un administrador puede crear una nueva cuenta de usuario sin establecer una contraseña. Esta vulnerabilidad podría generar riesgos de seguridad, ya que las cuentas sin contraseña podrían ser vulnerables a accesos no autorizados. Además, este problema infringe las prácticas recomendadas para la administración segura de cuentas de usuario. El problema se solucionó en la versión 2.19.0.
CPE		cpe:2.3:a:lfprojects:mlflow::::::::
References	~~() https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17 -~~	() https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17 - Patch
References	~~() https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d -~~	() https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-03-27 15:36

NVD link : CVE-2025-1474

Mitre link : CVE-2025-1474

CVE.ORG link : CVE-2025-1474

JSON object : View

Products Affected

lfprojects

mlflow

CWE

CWE-521

Weak Password Requirements

{"id": "CVE-2025-1474", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.2}]}, "published": "2025-03-20T10:15:54.037", "references": [{"url": "https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0."}, {"lang": "es", "value": "En la versi\u00f3n 2.18 de mlflow/mlflow, un administrador puede crear una nueva cuenta de usuario sin establecer una contrase\u00f1a. Esta vulnerabilidad podr\u00eda generar riesgos de seguridad, ya que las cuentas sin contrase\u00f1a podr\u00edan ser vulnerables a accesos no autorizados. Adem\u00e1s, este problema infringe las pr\u00e1cticas recomendadas para la administraci\u00f3n segura de cuentas de usuario. El problema se solucion\u00f3 en la versi\u00f3n 2.19.0."}], "lastModified": "2025-03-27T15:36:42.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "424AC5C6-1433-408C-B56C-5F9DA30FB856", "versionEndExcluding": "2.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}