1231 matches found
CVE-2024-2928
creationtimestamp| type| source ---|---|--- 2024-09-11 17:21:42+00:00| published-proof-of-concept| https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflowcve20242928 2024-11-08 03:57:04+00:00| published-proof-of-concept| https://t.me/GithubRedTeam/8970...
MLflow Detection
Binary data mlflowdetect.nbin...
MLflow Detection
Binary data pythonmlflowdetect.nbin...
Remote Code Execution
mlflow is vulnerable to Remote Code Execution. The vulnerability is caused due to a defect where mflow allows to write/overwrite any file on the file system. A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information...
Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms
Cybersecurity researchers are warning about the security risks in the machine learning ML software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms. These vulnerabilities, which are described as inherent- and implementation-bas...
MLflow Default Credentials
By default, MLflow does not require authentication to access the application. When enabling authentication, MLflow will enforce a basic authentication with default credentials. If not updated, a remote and unauthenticated attacker could access the MLflow UI and peform arbitrary actions on it. Thi...
MLflow Unauthenticated Access
By default, MLflow does not require authentication to access the application. This allows an attacker to perform arbitrary modifications on experiments or models in the web interface. This detection is included in the AI and LLM category. No source data...
MLflow Detected
This is an informational plugin to inform the user that the scanner has detected a publicly accessible MLflow instance on the target application. MLflow is a platform to streamline machine learning development and simplify model operations. This detection is included in the AI and LLM category. N...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization in the function loadmodelfromlocalfile within sklearn/init.py. An attacker can inject a malicious pickle object into a model file on upload, which will be deserialized resulting in...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling of untrusted data in the loadmodelfromlocalfile function within the sklearn/init.py. The vulnerability allows an attacker to inject a malicious pickle object into a model file on upload, which...
Deserialization Of Untrusted Data
MLflow is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe handling user-supplied data in the sklearn/init.py within the loadmodelfromlocalfile function, which allows an attacker to inject a malicious pickle object into a model file on upload which will then be...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to a lack of proper input validation during the pickle deserialization process within the BaseCard.load function in the recipes/cards/init.py file. This vulnerability allows an attacker to execute arbitrary code o...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is caused due to improper handling of serialized data in the loadpyfunc function within mlflow/pyfunc/model.py. This flaw allows an attacker to inject a malicious pickle object into a PyFunc model file, which results in...
Code Injection
mlflow is vulnerable to Code Injection. The vulnerability is caused due to improper input validation in the runentrypoint function within the projects/backend/local.py file. This vulnerability allows an attacker to execute arbitrary code on the victim's system by submitting a maliciously crafted...
Undefined Behavior
mlflow is vulnerable to Undefined Behavior. The vulnerability is due to inadequate validation of model names, which allows an attacker to create multiple models with the same name, leading to potential Denial of Service DoS and data model poisoning...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to inadequate input validation in the loadcustomobjects function within mlflow/tensorflow/init.py, which allows attackers to execute arbitrary code by injecting a malicious pickle object into the Tensorflow model...
Arbitrary File Write
mlflow is vulnerable to Arbitrary File Write. The vulnerability is due to improper santization within the mlflow.data.httpdatasetsource.py module, when fetching data over HTTP. The Content-Disposition header is used directly to construct the path where the file is saved to, which allows an attack...
Deserialization Of Untrusted Data
mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is caused by a lack of validation in the loadfrompickle function in the mlflow/langchain/utils.py file, allowing an attacker to execute arbitrary code on the victim's system through a malicious Langchain AgentExecutor...
BIT-MLFLOW-2024-37052
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with...
BIT-MLFLOW-2024-37053
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with...