35 matches found
BIT-MLFLOW-2025-15379 Command Injection in mlflow/mlflow
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
CVE-2026-39420
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...
CVE-2025-15379
A flaw was found in MLflow. When deploying a model with envmanager=LOCAL, MLflow's model serving container initialization code, specifically the installmodeldependenciestoenv function, reads dependency specifications from the model artifact's pythonenv.yaml file. An attacker can supply a maliciou...
GHSA-R23Q-823P-VMF7 MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
EUVD-2025-209121
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
Arbitrary Command Injection
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Arbitrary Command Injection in the installmodeldependenciestoenv...
CVE-2025-15379
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
CVE-2024-39934
Robotmk before 2.0.1 allows a local user to escalate privileges e.g., to SYSTEM if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment...
EUVD-2024-38308
Malicious code in bioql PyPI...
SUSE-SU-2025:02492-1 Security update 5.0.5 for Multi-Linux Manager Salt Bundle
This update fixes the following issues: venv-salt-minion: - Security issues fixed: - CVE-2024-38822: Fixed Minion token validation bsc1244561 - CVE-2024-38823: Fixed server vulnerability to replay attacks when not using a TLS encrypted transport bsc1244564 - CVE-2024-38824: Fixed directory...
CVE-2022-32552
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable t...
RockyLinux 9 : python3.12 (RLSA-2024:10978)
The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:10978 advisory. python: Virtual environment venv activation scripts don't quote paths CVE-2024-9287 python: Unbounded memory buffering in...
OESA-2025-1241 python-virtualenv security update
Virtualenv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. Note though, that the venv module does not offer all features of this library e.g. cannot create bootstrap scripts, cannot create...
ASTEVAL 安全漏洞
ASTEVAL is an open source library from lmfit that uses the ast module for parsimony evaluation of python expressions. A security vulnerability exists in ASTEVAL versions prior to 1.0.6, which stems from If an attacker has control over the inputs to the asteval library, it is possible to bypass...
USN-7117-3 needrestart regression
USN-7117-1 fixed vulnerabilities in needrestart. The update introduced a regression in needrestart. This update fixes the problem for LXC containers. We apologize for the inconvenience. Original advisory details: Qualys discovered that needrestart passed unsanitized data to a library...
CVE-2024-39934
Robotmk before 2.0.1 allows a local user to escalate privileges e.g., to SYSTEM if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment...
CVE-2024-39934
Robotmk before 2.0.1 allows a local user to escalate privileges e.g., to SYSTEM if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment...
CVE-2024-39934
Robotmk before 2.0.1 allows a local user to escalate privileges e.g., to SYSTEM if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment...
CVE-2024-39934
Robotmk before 2.0.1 allows a local user to escalate privileges e.g., to SYSTEM if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment...