We use cookies to improve your experience on our site.
AVID-2026-R1634
Description
Cross-Site Request Forgery (CSRF) in polyaxon/polyaxon (CVE-2024-9365)
Details
A Cross-Site Request Forgery (CSRF) vulnerability in polyaxon/polyaxon v2.4.0 allows attackers to perform unauthorized actions in the context of the victim’s browser. This includes creating projects, model versions, and artifact versions, or changing settings. The impact of this vulnerability includes potential data loss and service disruption.
Reason for inclusion in AVID: CVE-2024-9365 describes a CSRF vulnerability in polyaxon, an ML orchestration platform used in AI workflows. This is a software vulnerability affecting a tool used in building/training/deploying AI systems, i.e., in the AI software stack. It concerns software supply chain components (library/framework/platform) rather than hardware/firmware, and impacts security, with potential unauthorized actions in the AI pipeline. The report provides CVE details, CVSS, etc.
References
Affected or Relevant Artifacts
- Developer: polyaxon
- Deployer: polyaxon
- Artifact Details:
| Type | Name |
|---|---|
| System | polyaxon/polyaxon |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| Base Score | 6.5 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-352 | CWE-352 Cross-Site Request Forgery (CSRF) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry