CVE-2024-45187
Published: 23 August 2024
Summary
CVE-2024-45187 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Mage Mage-Ai. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2604
Vulnerability details
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Mage AI is an open-source platform/framework for building and deploying data pipelines with integrated AI/ML capabilities, fitting under 'Other Platforms' as it is not a specific deep learning framework, library, or other narrow AI subcategory.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows deleted guest users to retain active sessions and gain admin privileges, enabling remote arbitrary code execution via the Mage AI terminal server. This directly facilitates exploitation of public-facing applications (T1190), exploitation of remote services (T1210), and exploitation for privilege escalation (T1068).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.
Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.