Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/33502?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/33502?format=api", "purl": "pkg:pypi/mlflow@2.3.1", "type": "pypi", "namespace": "", "name": "mlflow", "version": "2.3.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.11.0rc0", "latest_non_vulnerable_version": "3.11.0rc0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36791?format=api", "vulnerability_id": "VCID-7m3u-tyeh-rqgz", "summary": "A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/b43e0e3de5b500554e13dc032ba2083b2d6c94b8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/b43e0e3de5b500554e13dc032ba2083b2d6c94b8" }, { "reference_url": "https://huntr.com/bounties/bfa116d3-2af8-4c4a-ac34-ccde7491ae11", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.com/bounties/bfa116d3-2af8-4c4a-ac34-ccde7491ae11" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41032?format=api", "purl": "pkg:pypi/mlflow@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.10.1" } ], "aliases": [ "CVE-2024-4263", "PYSEC-2024-51" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7m3u-tyeh-rqgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36630?format=api", "vulnerability_id": "VCID-93v9-5y4m-t7dz", "summary": "A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1" }, { "reference_url": "https://huntr.com/bounties/816bdaaa-8153-4732-951e-b0d92fddf709", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://huntr.com/bounties/816bdaaa-8153-4732-951e-b0d92fddf709" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6568", "reference_id": "CVE-2023-6568", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6568" }, { "reference_url": "https://github.com/advisories/GHSA-vwhf-3v6x-wff8", "reference_id": "GHSA-vwhf-3v6x-wff8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vwhf-3v6x-wff8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38207?format=api", "purl": "pkg:pypi/mlflow@2.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/38208?format=api", "purl": "pkg:pypi/mlflow@2.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.1" } ], "aliases": [ "CVE-2023-6568", "GHSA-vwhf-3v6x-wff8", "PYSEC-2023-260" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-93v9-5y4m-t7dz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36505?format=api", "vulnerability_id": "VCID-an1e-3jdw-7yaw", "summary": "OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-280.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-280.yaml" }, { "reference_url": "https://huntr.dev/bounties/5312d6f8-67a5-4607-bd47-5e19966fa321", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.dev/bounties/5312d6f8-67a5-4607-bd47-5e19966fa321" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4033", "reference_id": "CVE-2023-4033", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4033" }, { "reference_url": "https://github.com/advisories/GHSA-ffw3-6378-cqgp", "reference_id": "GHSA-ffw3-6378-cqgp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ffw3-6378-cqgp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35079?format=api", "purl": "pkg:pypi/mlflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.6.0" } ], "aliases": [ "CVE-2023-4033", "GHSA-ffw3-6378-cqgp", "PYSEC-2023-280" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-an1e-3jdw-7yaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37267?format=api", "vulnerability_id": "VCID-cu1t-7wnm-y7hk", "summary": "MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.\n\n \nThis issue affects MLflow version through 3.10.1", "references": [ { "reference_url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors" }, { "reference_url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/21708", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/mlflow/mlflow/pull/21708" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49217?format=api", "purl": "pkg:pypi/mlflow@3.11.0rc0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@3.11.0rc0" } ], "aliases": [ "CVE-2026-33866", "PYSEC-2026-94" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cu1t-7wnm-y7hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36734?format=api", "vulnerability_id": "VCID-deyg-v3z9-6fet", "summary": "Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.\n\nThis issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.\n\nThe vulnerability stems from lack of sanitization over template variables.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/10873", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/pull/10873" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-240.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-240.yaml" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930", "reference_id": "", "reference_type": "", "scores": [], "url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27132", "reference_id": "CVE-2024-27132", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27132" }, { "reference_url": "https://github.com/advisories/GHSA-6749-m5cp-6cg7", "reference_id": "GHSA-6749-m5cp-6cg7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6749-m5cp-6cg7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40186?format=api", "purl": "pkg:pypi/mlflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.10.0" } ], "aliases": [ "CVE-2024-27132", "GHSA-6749-m5cp-6cg7", "PYSEC-2024-240" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-deyg-v3z9-6fet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36635?format=api", "vulnerability_id": "VCID-ep2z-9m6r-6ubu", "summary": "Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-281.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-281.yaml" }, { "reference_url": "https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6709", "reference_id": "CVE-2023-6709", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6709" }, { "reference_url": "https://github.com/advisories/GHSA-cxfr-5q3r-2rc2", "reference_id": "GHSA-cxfr-5q3r-2rc2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cxfr-5q3r-2rc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38278?format=api", "purl": "pkg:pypi/mlflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22x6-fafr-y3db" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-fsds-g6hy-jud8" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-kx8z-7c3y-kkb5" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wdb6-4eqr-myd2" }, { "vulnerability": "VCID-yseh-dp68-wkfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2" } ], "aliases": [ "CVE-2023-6709", "GHSA-cxfr-5q3r-2rc2", "PYSEC-2023-281" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ep2z-9m6r-6ubu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37266?format=api", "vulnerability_id": "VCID-g9p5-4cqv-qfew", "summary": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. \n\nThis issue affects MLflow version through 3.10.1", "references": [ { "reference_url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors" }, { "reference_url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/21435", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/mlflow/mlflow/pull/21435" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49217?format=api", "purl": "pkg:pypi/mlflow@3.11.0rc0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@3.11.0rc0" } ], "aliases": [ "CVE-2026-33865", "PYSEC-2026-93" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9p5-4cqv-qfew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37014?format=api", "vulnerability_id": "VCID-hz26-bm34-gkfx", "summary": "In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17" }, { "reference_url": "https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N" } ], "url": "https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44730?format=api", "purl": "pkg:pypi/mlflow@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-rcqb-2498-77e2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.19.0" } ], "aliases": [ "CVE-2025-1474", "PYSEC-2025-17" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hz26-bm34-gkfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36735?format=api", "vulnerability_id": "VCID-j3ax-7a88-f7ff", "summary": "Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/c43823750bffa5b6abcc086683b15a068513b67b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/c43823750bffa5b6abcc086683b15a068513b67b" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/cfa71879a884cc3520e23ccab998c9aa78fdf2b1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/cfa71879a884cc3520e23ccab998c9aa78fdf2b1" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/10893", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/pull/10893" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-241.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-241.yaml" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932", "reference_id": "", "reference_type": "", "scores": [], "url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27133", "reference_id": "CVE-2024-27133", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27133" }, { "reference_url": "https://github.com/advisories/GHSA-3v79-q7ph-j75h", "reference_id": "GHSA-3v79-q7ph-j75h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3v79-q7ph-j75h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40186?format=api", "purl": "pkg:pypi/mlflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.10.0" } ], "aliases": [ "CVE-2024-27133", "GHSA-3v79-q7ph-j75h", "PYSEC-2024-241" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j3ax-7a88-f7ff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36807?format=api", "vulnerability_id": "VCID-jbuf-3rr2-5kcv", "summary": "A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07" }, { "reference_url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41037?format=api", "purl": "pkg:pypi/mlflow@2.11.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.11.3" } ], "aliases": [ "CVE-2024-2928", "PYSEC-2024-242" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jbuf-3rr2-5kcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36646?format=api", "vulnerability_id": "VCID-ns8z-pwe6-vbby", "summary": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1" }, { "reference_url": "https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" } ], "url": "https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6831", "reference_id": "CVE-2023-6831", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6831" }, { "reference_url": "https://github.com/advisories/GHSA-554w-xh4j-8w64", "reference_id": "GHSA-554w-xh4j-8w64", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-554w-xh4j-8w64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38278?format=api", "purl": "pkg:pypi/mlflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22x6-fafr-y3db" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-fsds-g6hy-jud8" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-kx8z-7c3y-kkb5" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wdb6-4eqr-myd2" }, { "vulnerability": "VCID-yseh-dp68-wkfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2" } ], "aliases": [ "CVE-2023-6831", "GHSA-554w-xh4j-8w64", "PYSEC-2023-253" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ns8z-pwe6-vbby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36492?format=api", "vulnerability_id": "VCID-p21k-ac5p-9kam", "summary": "Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-308.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-308.yaml" }, { "reference_url": "https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3765", "reference_id": "CVE-2023-3765", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3765" }, { "reference_url": "https://github.com/advisories/GHSA-fmxj-6h9g-6vw3", "reference_id": "GHSA-fmxj-6h9g-6vw3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fmxj-6h9g-6vw3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34992?format=api", "purl": "pkg:pypi/mlflow@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r11-xvzt-suhp" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-an1e-3jdw-7yaw" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.5.0" } ], "aliases": [ "CVE-2023-3765", "GHSA-fmxj-6h9g-6vw3", "PYSEC-2023-308" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p21k-ac5p-9kam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36792?format=api", "vulnerability_id": "VCID-pzmb-xzk9-s7dy", "summary": "A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8" }, { "reference_url": "https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41040?format=api", "purl": "pkg:pypi/mlflow@2.12.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.12.1" } ], "aliases": [ "CVE-2024-3848", "PYSEC-2024-244" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pzmb-xzk9-s7dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37088?format=api", "vulnerability_id": "VCID-rcqb-2498-77e2", "summary": "gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/issues/15944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/issues/15944" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/15970", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/pull/15970" }, { "reference_url": "https://github.com/mlflow/mlflow/releases/tag/v3.1.0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/releases/tag/v3.1.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45835?format=api", "purl": "pkg:pypi/mlflow@3.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@3.1.0" } ], "aliases": [ "CVE-2025-52967", "PYSEC-2025-52" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcqb-2498-77e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36647?format=api", "vulnerability_id": "VCID-s76e-s9ut-2bdq", "summary": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-252.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-252.yaml" }, { "reference_url": "https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6909", "reference_id": "CVE-2023-6909", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6909" }, { "reference_url": "https://github.com/advisories/GHSA-5r3q-93q3-f978", "reference_id": "GHSA-5r3q-93q3-f978", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5r3q-93q3-f978" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38278?format=api", "purl": "pkg:pypi/mlflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22x6-fafr-y3db" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-fsds-g6hy-jud8" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-kx8z-7c3y-kkb5" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wdb6-4eqr-myd2" }, { "vulnerability": "VCID-yseh-dp68-wkfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2" } ], "aliases": [ "CVE-2023-6909", "GHSA-5r3q-93q3-f978", "PYSEC-2023-252" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s76e-s9ut-2bdq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36638?format=api", "vulnerability_id": "VCID-saca-pg4n-xucu", "summary": "Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-309.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-309.yaml" }, { "reference_url": "https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6753", "reference_id": "CVE-2023-6753", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6753" }, { "reference_url": "https://github.com/advisories/GHSA-v945-r3rc-6fjm", "reference_id": "GHSA-v945-r3rc-6fjm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v945-r3rc-6fjm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38278?format=api", "purl": "pkg:pypi/mlflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22x6-fafr-y3db" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-fsds-g6hy-jud8" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-kx8z-7c3y-kkb5" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wdb6-4eqr-myd2" }, { "vulnerability": "VCID-yseh-dp68-wkfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2" } ], "aliases": [ "CVE-2023-6753", "GHSA-v945-r3rc-6fjm", "PYSEC-2023-309" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-saca-pg4n-xucu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36944?format=api", "vulnerability_id": "VCID-syg7-c85s-4ufu", "summary": "Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/pull/10874", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/pull/10874" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44170?format=api", "purl": "pkg:pypi/mlflow@2.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-rcqb-2498-77e2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.16.0" } ], "aliases": [ "CVE-2024-27134", "PYSEC-2024-224" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-syg7-c85s-4ufu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36762?format=api", "vulnerability_id": "VCID-vd8p-48kf-yyg6", "summary": "mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" } ], "url": "https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-243.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-243.yaml" }, { "reference_url": "https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N" } ], "url": "https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3573", "reference_id": "CVE-2024-3573", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3573" }, { "reference_url": "https://github.com/advisories/GHSA-hq88-wg7q-gp4g", "reference_id": "GHSA-hq88-wg7q-gp4g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hq88-wg7q-gp4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40186?format=api", "purl": "pkg:pypi/mlflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-syg7-c85s-4ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.10.0" } ], "aliases": [ "CVE-2024-3573", "GHSA-hq88-wg7q-gp4g", "PYSEC-2024-243" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vd8p-48kf-yyg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36802?format=api", "vulnerability_id": "VCID-wwe2-hxs5-t7eq", "summary": "A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d" }, { "reference_url": "https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2a26dbc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2a26dbc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38207?format=api", "purl": "pkg:pypi/mlflow@2.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.0" } ], "aliases": [ "CVE-2024-0520", "PYSEC-2024-239" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wwe2-hxs5-t7eq" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36431?format=api", "vulnerability_id": "VCID-3uj4-75x9-a7ae", "summary": "Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-68.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-68.yaml" }, { "reference_url": "https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2356", "reference_id": "CVE-2023-2356", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2356" }, { "reference_url": "https://github.com/advisories/GHSA-x422-6qhv-p29g", "reference_id": "GHSA-x422-6qhv-p29g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x422-6qhv-p29g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33502?format=api", "purl": "pkg:pypi/mlflow@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-an1e-3jdw-7yaw" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-p21k-ac5p-9kam" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1" } ], "aliases": [ "CVE-2023-2356", "GHSA-x422-6qhv-p29g", "PYSEC-2023-68" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3uj4-75x9-a7ae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45107?format=api", "vulnerability_id": "VCID-sujn-61j7-mbdb", "summary": "Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs\nUsers of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than **MLflow 2.3.1** may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).\n\nThis issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these commands and are not impacted by these vulnerabilities in any way.\n\nThe vulnerability is very similar to https://nvd.nist.gov/vuln/detail/CVE-2023-1177, and a separate CVE will be published and updated here shortly.\n\nThis vulnerability has been patched in MLflow 2.3.1, which was released to PyPI on April 27th, 2023. If you are using `mlflow server` or `mlflow ui` with the MLflow Model Registry, we recommend upgrading to MLflow 2.3.1 as soon as possible.\n\nIf you are using the MLflow open source `mlflow server` or `mlflow ui` commands, we strongly recommend limiting who can access your MLflow Model Registry and MLflow Tracking servers using a cloud VPC, an IP allowlist for inbound requests, authentication / authorization middleware, or another access restriction mechanism of your choosing.\n\nIf you are using the MLflow open source `mlflow server` or `mlflow ui` commands, we also strongly recommend limiting the remote files to which your MLflow Model Registry and MLflow Tracking servers have access. For example, if your MLflow Model Registry or MLflow Tracking server uses cloud-hosted blob storage for MLflow artifacts, make sure to restrict the scope of your server's cloud credentials such that it can only access files and directories related to MLflow.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-83fm-w79m-64r5", "reference_id": "GHSA-83fm-w79m-64r5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-83fm-w79m-64r5" }, { "reference_url": "https://github.com/mlflow/mlflow/security/advisories/GHSA-83fm-w79m-64r5", "reference_id": "GHSA-83fm-w79m-64r5", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/security/advisories/GHSA-83fm-w79m-64r5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33502?format=api", "purl": "pkg:pypi/mlflow@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-an1e-3jdw-7yaw" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-p21k-ac5p-9kam" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1" } ], "aliases": [ "GHSA-83fm-w79m-64r5", "GMS-2023-1305" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sujn-61j7-mbdb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36445?format=api", "vulnerability_id": "VCID-u94r-pnx1-s7c7", "summary": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.", "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-69.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-69.yaml" }, { "reference_url": "https://huntr.dev/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.dev/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2780", "reference_id": "CVE-2023-2780", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2780" }, { "reference_url": "https://github.com/advisories/GHSA-wjq3-7jxx-whj9", "reference_id": "GHSA-wjq3-7jxx-whj9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wjq3-7jxx-whj9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33501?format=api", "purl": "pkg:pypi/mlflow@2.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uj4-75x9-a7ae" }, { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-an1e-3jdw-7yaw" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-p21k-ac5p-9kam" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-u94r-pnx1-s7c7" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/33502?format=api", "purl": "pkg:pypi/mlflow@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7m3u-tyeh-rqgz" }, { "vulnerability": "VCID-93v9-5y4m-t7dz" }, { "vulnerability": "VCID-an1e-3jdw-7yaw" }, { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-deyg-v3z9-6fet" }, { "vulnerability": "VCID-ep2z-9m6r-6ubu" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" }, { "vulnerability": "VCID-hz26-bm34-gkfx" }, { "vulnerability": "VCID-j3ax-7a88-f7ff" }, { "vulnerability": "VCID-jbuf-3rr2-5kcv" }, { "vulnerability": "VCID-ns8z-pwe6-vbby" }, { "vulnerability": "VCID-p21k-ac5p-9kam" }, { "vulnerability": "VCID-pzmb-xzk9-s7dy" }, { "vulnerability": "VCID-rcqb-2498-77e2" }, { "vulnerability": "VCID-s76e-s9ut-2bdq" }, { "vulnerability": "VCID-saca-pg4n-xucu" }, { "vulnerability": "VCID-syg7-c85s-4ufu" }, { "vulnerability": "VCID-vd8p-48kf-yyg6" }, { "vulnerability": "VCID-wwe2-hxs5-t7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1" } ], "aliases": [ "CVE-2023-2780", "GHSA-wjq3-7jxx-whj9", "PYSEC-2023-69" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u94r-pnx1-s7c7" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1" }