Lucene search
K

7 matches found

Github Security Blog
Github Security Blog
added 2026/04/03 6:31 p.m.10 views

mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

9.8CVSS7.8AI score0.04392EPSS
Exploits1References3Affected Software1
Huntr
Huntr
added 2026/04/03 7:32 a.m.4 views

Authorization bypass on all trace endpoints when auth is enabled

Description When MLflow runs with auth enabled, the trace API endpoints don't have authorization validators registered. The beforerequest handler checks each request against BEFOREREQUESTHANDLERS — experiments, runs, models all have entries there, but traces have zero entries. When no validator i...

8.1CVSS5.8AI score0.00348EPSS
Exploits1
OSV
OSV
added 2024/03/06 10:57 a.m.15 views

BIT-MONGODB-2021-32037 User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.2AI score0.01181EPSS
Exploits0References2
Cvelist
Cvelist
added 2021/11/24 10:40 a.m.20 views

CVE-2021-32037 User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.6AI score0.01181EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2021/11/24 10:40 a.m.13 views

CVE-2021-32037 User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.4AI score0.01181EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2021/11/24 10:40 a.m.14 views

CVE-2021-32037

Removed by vendor...

6.5CVSS6.5AI score0.01181EPSS
Exploits0
MongoDB
MongoDB
added 2021/11/24 12:0 a.m.30 views

User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shar...

6.5CVSS6.2AI score0.01181EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder