1234 matches found
CVE-2024-2928
A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...
a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +159 more potentially affected by CVE-2024-2928 via mlflow (>=0.8.2 <=2.11.1)
mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-2928 Source advisory: OSV:PYSEC-2024-242...
CVE-2024-2928
A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...
PYSEC-2024-242
A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...
PYSEC-2024-239
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +339 more potentially affected by CVE-2024-0520 via mlflow (>=0.8.2 <=2.8.1)
mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 and more Source cves: CVE-2024-0520 Source advisory: OSV:PYSEC-2024-239...
CVE-2024-0520
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
CVE-2024-0520
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
PYSEC-2024-239
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
CVE-2024-2928 Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow
A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...
CVE-2024-2928
Summary: MLflow
CVE-2024-2928 Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow
A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...
CVE-2024-0520 Remote Code Execution due to Full Controlled File Write in mlflow/mlflow
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
CVE-2024-0520 Remote Code Execution due to Full Controlled File Write in mlflow/mlflow
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command 'Command Injection' within the mlflow.data.httpdatasetsource.py module. Specifically, when loading a dataset from a source URL with an HTTP...
CVE-2024-0520
CVE-2024-0520 affects mlflow/mlflow v8.2.1, enabling remote code execution via command injection in mlflow.data.http_dataset_source.py when loading an HTTP URL dataset. The filename gathered from Content-Disposition or URL path is used to form the final file path without proper sanitization, allo...
CVE-2024-3099 Denial of Service and Data Model Poisoning via URL Encoding in mlflow/mlflow
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service DoS as an authenticated user might not be able to use the intended model, as it will open a different model each time...
CVE-2024-3099 Denial of Service and Data Model Poisoning via URL Encoding in mlflow/mlflow
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service DoS as an authenticated user might not be able to use the intended model, as it will open a different model each time...
CVE-2024-3099
CVE-2024-3099 affects mlflow/mlflow 2.11.1 and is caused by inadequate validation of model names, allowing URL-encoded names to be treated as distinct from their decoded counterparts. This enables an attacker to create multiple models with the same name, leading to DoS (an authenticated user may ...
Mlflow Security Vulnerabilities
Mlflow is an open source platform for machine learning lifecycles. A security vulnerability exists in Mlflow that stems from the ability to create multiple models with the same name using URL encoding, potentially leading to a denial of service...
PT-2024-23711 · Mlflow · Mlflow
Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.11.1 Description: A vulnerability in mlflow/mlflow allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service DoS as an authenticated user might no...