1231 matches found
Cross site scripting
Cross-site Scripting XSS - Reflected in GitHub repository mlflow/mlflow prior to 2.9.0...
PYSEC-2023-260
A reflected Cross-Site Scripting XSS vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...
CVE-2023-6568 Reflected XSS via Content-Type Header in mlflow/mlflow
A reflected Cross-Site Scripting XSS vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...
CVE-2023-6568
MLflow XSS (CVE-2023-6568) : A reflected XSS exists in mlflow/mlflow due to how the Content-Type header from POST requests is handled. The vulnerability is in mlflow/server/auth/init .py, where user-supplied Content-Type is directly inserted into a Python-formatted string and returned, allowing a...
Mlflow Cross-Site Scripting Vulnerability
Mlflow is an open source platform for machine learning lifecycle. A cross-site scripting vulnerability exists in Mlflow versions prior to 2.9.0. An attacker exploiting this vulnerability could execute a cross-site scripting attack...
PT-2023-32696 · Mlflow · Mlflow
Name of the Vulnerable Software and Affected Versions: mlflow versions prior to 2.9.0 Description: A reflected Cross-Site Scripting XSS issue exists in the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is...
a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +339 more potentially affected by CVE-2023-43472 via mlflow (>=0.8.2 <=2.8.1)
mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 and more Source cves: CVE-2023-43472 Source advisory: OSV:GHSA-WQXF-447M-6F5F...
Information exposure in MLflow
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
GHSA-WQXF-447M-6F5F Information exposure in MLflow
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
Design/Logic Flaw
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
MLFlow Security Vulnerability
Mlflow is an open source platform for the machine learning lifecycle. A security vulnerability exists in MLFlow version 2.8.1 and prior versions. A remote attacker exploited the vulnerability to obtain sensitive information via a specially crafted REST API request...
CVE-2023-43472
MLFlow before 2.8.1 is affected by CVE-2023-43472. A remote attacker can disclose sensitive information via a crafted request to the MLFlow REST API. Impact described in sources: access to sensitive information stored in MLFlow. Root cause: issue exists in MLFlow 2.8.1 and earlier as stated in th...
PT-2023-28836 · Mlflow · Mlflow
Name of the Vulnerable Software and Affected Versions: MLFlow versions 2.8.1 and before Description: An issue in MLFlow allows a remote attacker to obtain sensitive information via a crafted request to the REST API. Approximately 4,120 devices are potentially affected, mainly distributed in the...
VulnCheck KEV: CVE-2023-1177
Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1...
Path Traversal
mlflow is vulnerable to Path Traversal. The vulnerability is caused by a missing validation on Windows file paths starting with driver letter and colon e:g C:.. which result into relative paths when ultimately evaluated. This can lead to an attacker breaking out of the root mlflow directory e.g: ...
Authentication Bypass
mlflow is vulnerable to Authentication Bypass. The vulnerability is due to a bypass in both the mlflow server and mlflow UI around MLFlow's implementation of basic authentication. This flaw allows an unauthenticated malicious user to create a user/credential set using the 2.0 REST API...