MLflow Security Vulnerabilities

Mlflow is an open source platform for machine learning lifecycles. A security vulnerability exists in MLflow that stems from the discovery of a Local File Inclusion LFI vulnerability...

Mlflow Security Vulnerabilities

Mlflow is an open source platform for machine learning lifecycles. A security vulnerability exists in Mlflow that stems from special elements used in operating system commands that are not properly neutralized, which allows an attacker to exploit path traversal or absolute path techniques to enab...

PT-2024-22849 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow versions 2.9.2 through 2.11.2 Description: A Local File Inclusion LFI issue was identified, arising from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker c...

GHSA-WF7F-8FXF-XFXC vulnerabilities

Vulnerabilities for packages: mlflow...

GHSA-CV6C-7963-WXCG vulnerabilities

Vulnerabilities for packages: mlflow...

GHSA-J8MG-PQC5-X9GJ vulnerabilities

Vulnerabilities for packages: mlflow...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +113 more potentially affected by CVE-2024-37060 via mlflow (>=1.27.0 <=2.14.1)

mlflow PYPI version =1.27.0, =0.1.0, =0.0.5, =1.0.72, =0.0.1, =1.0.72.1, =0.2.5, =0.1.3, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.2.0, =1.9.30 and more Source cves: CVE-2024-37060 Source advisory: OSV:GHSA-CV6C-7963-WXCG...

GHSA-CWGG-W6MP-W9HG vulnerabilities

Vulnerabilities for packages: mlflow...

autorad (=0.2.6), bernn (>=0.1.3 <=0.3.2) +31 more potentially affected by CVE-2024-37057 via mlflow (>=2.0.0rc0 <=2.14.1)

mlflow PYPI version =2.0.0rc0, =0.1.3, =1.2.0, =0.8.0, =0.0.10, =1.0.0, =0.0.1, =0.1.0, =1.10.2, =0.1.2, =1.2.7, =1.6.1, =0.2.9, =0.3.0 - llm-foundry =0.9.0 and more Source cves: CVE-2024-37057 Source advisory: OSV:GHSA-J8MG-PQC5-X9GJ...

a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +940 more potentially affected by CVE-2024-37059 via mlflow (>=0.8.2 <=3.4.0)

mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2024-37059 Source advisory: OSV:GHSA-WF7F-8FXF-XFXC...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +165 more potentially affected by CVE-2024-37061 via mlflow (>=1.11.0 <=2.13.1)

mlflow PYPI version =1.11.0, =0.1.0, =0.0.5, =0.1.2, =1.0.72, =0.0.1, =1.0.72.1, =1.4.0, =0.2.5, =0.1.3, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.3.8 and more Source cves: CVE-2024-37061 Source advisory: OSV:GHSA-PQCV-QW2R-R859...

GHSA-J8MG-PQC5-X9GJ MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with...

GHSA-CWGG-W6MP-W9HG MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with...

GHSA-PQCV-QW2R-R859 vulnerabilities

Vulnerabilities for packages: mlflow...

GHSA-PQCV-QW2R-R859 vulnerabilities

Vulnerabilities for packages: mlflow...

GHSA-WF7F-8FXF-XFXC MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

GHSA-PQCV-QW2R-R859 MLFlow improper input validation

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run due to unfiltered input...

GHSA-CV6C-7963-WXCG MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run...

MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run...

MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with...