BIT-MLFLOW-2023-6831 Path Traversal: '\..\filename' in mlflow/mlflow

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2...

BIT-MLFLOW-2023-6909 Path Traversal: '\..\filename' in mlflow/mlflow

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2...

Cross Site Scripting (XSS)

mlflow is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient sanitization while executing a recipe with an untrusted dataset, which results in client-side RCE in the Jupyter Notebook...

Cross Site Scripting (XSS)

mlflow is vulnerable to Cross Site Scripting XSS. The vulnerability is due to a lack of sanitization within the STACKTRACE and SCHEMA template variables, resulting in a client-side RCE when running an untrusted recipe in Jupyter Notebook...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +149 more potentially affected by CVE-2024-27133 via mlflow (>=0.8.2 <=2.0.1)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-27133 Source advisory: OSV:GHSA-3V79-Q7PH-J75H...

Cross-site Scripting in MLFlow

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...

MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +149 more potentially affected by CVE-2024-27132 via mlflow (>=0.8.2 <=2.0.1)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-27132 Source advisory: OSV:GHSA-6749-M5CP-6CG7...

GHSA-6749-M5CP-6CG7 Cross-site Scripting in MLFlow

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...

GHSA-3V79-Q7PH-J75H MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

PYSEC-2024-240

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...

PYSEC-2024-241

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +149 more potentially affected by CVE-2024-27133 via mlflow (>=0.8.2 <=2.0.1)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-27133 Source advisory: OSV:PYSEC-2024-241...

PYSEC-2024-240

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.The vulnerability stems from lack of sanitization over template variables...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +149 more potentially affected by CVE-2024-27132 via mlflow (>=0.8.2 <=2.0.1)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-27132 Source advisory: OSV:PYSEC-2024-240...

PYSEC-2024-241

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

CVE-2024-27133

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

CVE-2024-27132

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...

CVE-2024-27133

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...

CVE-2024-27132

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...