| 0 |
| url |
VCID-5qe9-6ecs-syek |
| vulnerability_id |
VCID-5qe9-6ecs-syek |
| summary |
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-27133, GHSA-3v79-q7ph-j75h, PYSEC-2024-241
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5qe9-6ecs-syek |
|
| 1 |
| url |
VCID-6tvx-kzfy-xfhv |
| vulnerability_id |
VCID-6tvx-kzfy-xfhv |
| summary |
mlflow Path Traversal vulnerability
A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-1483, GHSA-f82r-jj5r-6g97
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6tvx-kzfy-xfhv |
|
| 2 |
| url |
VCID-6x4v-udkg-z3es |
| vulnerability_id |
VCID-6x4v-udkg-z3es |
| summary |
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-27132, GHSA-6749-m5cp-6cg7, PYSEC-2024-240
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6x4v-udkg-z3es |
|
| 3 |
| url |
VCID-76zk-ent1-myc9 |
| vulnerability_id |
VCID-76zk-ent1-myc9 |
| summary |
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-1560, GHSA-5mvj-wmgj-7q8c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-76zk-ent1-myc9 |
|
| 4 |
| url |
VCID-8kf8-a6w5-m3b5 |
| vulnerability_id |
VCID-8kf8-a6w5-m3b5 |
| summary |
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-1594, GHSA-m49c-5c52-6696
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8kf8-a6w5-m3b5 |
|
| 5 |
| url |
VCID-96st-1wwr-4ken |
| vulnerability_id |
VCID-96st-1wwr-4ken |
| summary |
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-1474, PYSEC-2025-17
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-96st-1wwr-4ken |
|
| 6 |
| url |
VCID-gr3d-61ds-j7ej |
| vulnerability_id |
VCID-gr3d-61ds-j7ej |
| summary |
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-3573, GHSA-hq88-wg7q-gp4g, PYSEC-2024-243
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gr3d-61ds-j7ej |
|
| 7 |
| url |
VCID-njg8-d2r5-rfax |
| vulnerability_id |
VCID-njg8-d2r5-rfax |
| summary |
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-4263, PYSEC-2024-51
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-njg8-d2r5-rfax |
|
| 8 |
| url |
VCID-pugd-v7em-sbec |
| vulnerability_id |
VCID-pugd-v7em-sbec |
| summary |
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33865, PYSEC-2026-93
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pugd-v7em-sbec |
|
| 9 |
| url |
VCID-qnyj-3qc7-p7bp |
| vulnerability_id |
VCID-qnyj-3qc7-p7bp |
| summary |
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33866, PYSEC-2026-94
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qnyj-3qc7-p7bp |
|
| 10 |
| url |
VCID-r2kq-hqdf-6ugh |
| vulnerability_id |
VCID-r2kq-hqdf-6ugh |
| summary |
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-3848, PYSEC-2024-244
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r2kq-hqdf-6ugh |
|
| 11 |
| url |
VCID-r9df-3b7p-jfcy |
| vulnerability_id |
VCID-r9df-3b7p-jfcy |
| summary |
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-27134, PYSEC-2024-224
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r9df-3b7p-jfcy |
|
| 12 |
| url |
VCID-s2ry-vd94-qfc6 |
| vulnerability_id |
VCID-s2ry-vd94-qfc6 |
| summary |
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-1593, GHSA-f42m-mvfv-cgw5
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s2ry-vd94-qfc6 |
|
| 13 |
| url |
VCID-utmm-2j11-eyh6 |
| vulnerability_id |
VCID-utmm-2j11-eyh6 |
| summary |
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-2928, PYSEC-2024-242
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-utmm-2j11-eyh6 |
|
| 14 |
|
| 15 |
| url |
VCID-ya6d-ny22-ybdh |
| vulnerability_id |
VCID-ya6d-ny22-ybdh |
| summary |
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-1558, GHSA-j62r-wxqq-f3gf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ya6d-ny22-ybdh |
|