Lucene search
K

1235 matches found

OSV
OSV
added 2024/10/13 7:12 p.m.17 views

BIT-MLFLOW-2024-2928 Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...

7.5CVSS7.4AI score0.21847EPSS
Exploits2References3
OSV
OSV
added 2024/10/13 7:12 p.m.9 views

BIT-MLFLOW-2024-3099

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service DoS as an authenticated user might not be able to use the intended model, as it will open a different model each time...

5.4CVSS5.1AI score0.00442EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2024/09/17 12:0 a.m.5 views

MLflow Registry Enumeration

Binary data mlflowregistryenumeration.nbin...

7.3AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/09/17 12:0 a.m.18 views

MLFlow < 2.12.1 File Deletion

A broken access control vulnerability exists in mlflow/mlflow versions before 2.12.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing...

5.4CVSS5.7AI score0.00329EPSS
Exploits1References4
Circl
Circl
added 2024/09/11 5:21 p.m.5 views

CVE-2024-2928

creationtimestamp| type| source ---|---|--- 2024-09-11 17:21:42+00:00| published-proof-of-concept| https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflowcve20242928 2024-11-08 03:57:04+00:00| published-proof-of-concept| https://t.me/GithubRedTeam/8970...

7.5CVSS7.1AI score0.21847EPSS
Exploits2References3
Tenable Nessus
Tenable Nessus
added 2024/09/10 12:0 a.m.6 views

MLflow Detection

Binary data mlflowdetect.nbin...

7.3AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/09/10 12:0 a.m.17 views

MLflow Detection

Binary data pythonmlflowdetect.nbin...

7.3AI score
Exploits0References1
Veracode
Veracode
added 2024/09/04 6:59 a.m.7 views

Remote Code Execution

mlflow is vulnerable to Remote Code Execution. The vulnerability is caused due to a defect where mflow allows to write/overwrite any file on the file system. A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information...

10CVSS7.3AI score0.47874EPSS
Exploits1References2Affected Software1
The Hacker News
The Hacker News
added 2024/08/26 10:31 a.m.42 views

Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Cybersecurity researchers are warning about the security risks in the machine learning ML software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms. These vulnerabilities, which are described as inherent- and implementation-bas...

9.8CVSS9.5AI score0.81512EPSS
Exploits8
Tenable Nessus
Tenable Nessus
added 2024/06/26 12:0 a.m.14 views

MLflow Default Credentials

By default, MLflow does not require authentication to access the application. When enabling authentication, MLflow will enforce a basic authentication with default credentials. If not updated, a remote and unauthenticated attacker could access the MLflow UI and peform arbitrary actions on it. Thi...

7.8AI score
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2024/06/26 12:0 a.m.8 views

MLflow Unauthenticated Access

By default, MLflow does not require authentication to access the application. This allows an attacker to perform arbitrary modifications on experiments or models in the web interface. This detection is included in the AI and LLM category. No source data...

7.5AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/06/20 12:0 a.m.9 views

MLflow Detected

This is an informational plugin to inform the user that the scanner has detected a publicly accessible MLflow instance on the target application. MLflow is a platform to streamline machine learning development and simplify model operations. This detection is included in the AI and LLM category. N...

7.2AI score
Exploits0References2
Veracode
Veracode
added 2024/06/17 6:19 a.m.18 views

Deserialization Of Untrusted Data

mlflow is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization in the function loadmodelfromlocalfile within sklearn/init.py. An attacker can inject a malicious pickle object into a model file on upload, which will be deserialized resulting in...

8.8CVSS7.1AI score0.00618EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/06/17 4:59 a.m.20 views

Deserialization Of Untrusted Data

mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling of untrusted data in the loadmodelfromlocalfile function within the sklearn/init.py. The vulnerability allows an attacker to inject a malicious pickle object into a model file on upload, which...

8.8CVSS7.3AI score0.00623EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/06/14 9:11 a.m.20 views

Deserialization Of Untrusted Data

MLflow is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe handling user-supplied data in the sklearn/init.py within the loadmodelfromlocalfile function, which allows an attacker to inject a malicious pickle object into a model file on upload which will then be...

8.8CVSS7.5AI score0.00618EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/14 7:29 a.m.23 views

Deserialization Of Untrusted Data

mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to a lack of proper input validation during the pickle deserialization process within the BaseCard.load function in the recipes/cards/init.py file. This vulnerability allows an attacker to execute arbitrary code o...

8.8CVSS7.5AI score0.00769EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/06/14 6:27 a.m.14 views

Deserialization Of Untrusted Data

mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is caused due to improper handling of serialized data in the loadpyfunc function within mlflow/pyfunc/model.py. This flaw allows an attacker to inject a malicious pickle object into a PyFunc model file, which results in...

8.8CVSS7.3AI score0.00697EPSS
Exploits5References4Affected Software1
Veracode
Veracode
added 2024/06/14 5:37 a.m.12 views

Code Injection

mlflow is vulnerable to Code Injection. The vulnerability is caused due to improper input validation in the runentrypoint function within the projects/backend/local.py file. This vulnerability allows an attacker to execute arbitrary code on the victim's system by submitting a maliciously crafted...

8.8CVSS7.5AI score0.00884EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/06/11 5:48 a.m.10 views

Undefined Behavior

mlflow is vulnerable to Undefined Behavior. The vulnerability is due to inadequate validation of model names, which allows an attacker to create multiple models with the same name, leading to potential Denial of Service DoS and data model poisoning...

5.4CVSS6.7AI score0.00442EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/10 6:33 a.m.14 views

Deserialization Of Untrusted Data

mlflow is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to inadequate input validation in the loadcustomobjects function within mlflow/tensorflow/init.py, which allows attackers to execute arbitrary code by injecting a malicious pickle object into the Tensorflow model...

8.8CVSS7.5AI score0.00618EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder