CVE-2024-27133: 
NixOS vulnerability analysis and mitigation

CVE-2024-27133 is a cross-site scripting (XSS) vulnerability discovered in MLflow that leads to client-side remote code execution (RCE) when running a recipe with an untrusted dataset in Jupyter Notebook. The vulnerability stems from insufficient sanitization of dataset table fields (JFrog Advisory, NVD). The issue affects MLflow versions up to and including 2.9.2.

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (CRITICAL) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, while JFrog assigned a score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The vulnerability specifically manifests when running MLflow recipes that utilize untrusted datasets, where the lack of proper sanitization of dataset table fields can lead to XSS attacks (NVD).

When exploited, this vulnerability can lead to client-side remote code execution (RCE) specifically when running recipes in Jupyter Notebook environments. The high severity ratings indicate that successful exploitation could result in significant compromise of the system's confidentiality, integrity, and availability (NVD).

A fix has been implemented and merged through a pull request to address the recipe card display format issue. Users should upgrade to a version newer than 2.9.2 to protect against this vulnerability (GitHub PR).