11 matches found
MLflow Job API - Authentication Bypass
MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/ when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions. id:...
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
GHSA-7QHF-V65M-G5F3 mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
MLflow 访问控制错误漏洞
MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible executions, and sharing and deploying models. There is a security vulnerability in MLflow, which stems from the lack of authentication or...
CVE-2025-15496
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project...
CVE-2025-15496
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project...
CVE-2025-15496 guchengwuyue yshopmall jobs getPage sql injection
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project...
CVE-2025-15496 guchengwuyue yshopmall jobs getPage sql injection
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project...
PT-2026-1775
Name of the Vulnerable Software and Affected Versions guchengwuyue yshopmall versions up to 1.9.1 Description A flaw exists in the getPage function within the /api/jobs file that allows for SQL injection through manipulation of the sort argument. This issue can be exploited remotely. The exploit ...
yshopmall 安全漏洞
yshopmall is a mall system by guchengwuyue personal developer. A security vulnerability exists in yshopmall 1.9.1 and earlier versions, which stems from the incorrect operation of the parameter sort in file/api/jobs, and may lead to SQL injection attacks...
com.mozu:mozu-api-jobs (>=1.0.13 <=1.0.23), gradle.plugin.com.atc.gradle.plugins.xd:spring-xd-deploy-plugin (>=0.0.1 <=0.0.8) +25 more potentially affected by CVE-2018-1229 via org.springframework.batch:spring-batch-admin-manager (>=1.3.0.RELEASE <=1.3.1.RELEASE)
org.springframework.batch:spring-batch-admin-manager MAVEN version =1.3.0.RELEASE, =1.0.13, =0.0.1, =1.3.1.RELEASE, =1.6.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.1.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.1.0.RELEASE, =1.7.3.RELEASE -...