Search for packages
| purl | pkg:pypi/mlflow@0.9.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1r11-xvzt-suhp
Aliases: CVE-2023-6014 GHSA-4qq5-mxxx-m6gg |
MLflow authentication requirement bypass can allow a user to arbitrarily create an account An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. |
Affected by 58 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-1rkq-1ed6-fkd8
Aliases: CVE-2025-15381 GHSA-g6pg-52vf-843h |
mlflow/mlflow: mlflow/mlflow: Information disclosure and unauthorized data modification via unprotected tracing and assessment endpoints |
Affected by 5 other vulnerabilities. |
|
VCID-22x6-fafr-y3db
Aliases: CVE-2024-1558 GHSA-j62r-wxqq-f3gf |
mlflow vulnerable to Path Traversal A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler. |
Affected by 36 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-2kkx-3hfx-uqcf
Aliases: BIT-mlflow-2023-1176 CVE-2023-1176 GHSA-wp72-7hj9-5265 PYSEC-2023-28 |
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. |
Affected by 64 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-2p2m-e3dw-kuhs
Aliases: CVE-2025-10279 GHSA-4x5p-f36r-mxxr |
mlflow Creates of Temporary File in Directory with Insecure Permissions In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. |
Affected by 13 other vulnerabilities. |
|
VCID-2pbf-wr1w-gkdt
Aliases: CVE-2025-0453 GHSA-49m6-vrr9-2cqm |
MLflow Uncontrolled Resource Consumption vulnerability In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption. |
Affected by 19 other vulnerabilities. |
|
VCID-2vtv-d1qd-nbfk
Aliases: CVE-2024-37054 GHSA-ghv6-9r9j-wh4j |
MLFlow unsafe deserialization Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | There are no reported fixed by versions. |
|
VCID-3uj4-75x9-a7ae
Aliases: BIT-mlflow-2023-2356 CVE-2023-2356 GHSA-x422-6qhv-p29g PYSEC-2023-68 |
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. |
Affected by 60 other vulnerabilities. |
|
VCID-57gp-hzcs-nubp
Aliases: BIT-mlflow-2026-10803 CVE-2026-10803 PYSEC-2026-195 |
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. |
Affected by 3 other vulnerabilities. |
|
VCID-58ta-qa92-xfe3
Aliases: BIT-mlflow-2022-0736 CVE-2022-0736 GHSA-vqj2-4v8m-8vrq PYSEC-2022-28 |
Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1. |
Affected by 63 other vulnerabilities. |
|
VCID-5a75-gxh6-5bak
Aliases: CVE-2026-2033 GHSA-q2r8-vmq7-fpx2 |
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. |
Affected by 9 other vulnerabilities. |
|
VCID-7m3u-tyeh-rqgz
Aliases: BIT-mlflow-2024-4263 CVE-2024-4263 GHSA-p4jx-q62p-x5jr PYSEC-2024-51 |
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them. |
Affected by 35 other vulnerabilities. |
|
VCID-7vcj-1uvm-bfec
Aliases: CVE-2023-6018 GHSA-5p3h-7fwh-92rc |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') An attacker can overwrite any file on the server hosting MLflow without any authentication. |
Affected by 44 other vulnerabilities. |
|
VCID-92e8-3ev4-r7c9
Aliases: CVE-2024-6838 GHSA-q3gw-8236-5jw4 |
MLflow Uncontrolled Resource Consumption vulnerability In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the `artifact_location` parameter while creating the experiment. |
Affected by 21 other vulnerabilities. |
|
VCID-93v9-5y4m-t7dz
Aliases: BIT-mlflow-2023-6568 CVE-2023-6568 GHSA-vwhf-3v6x-wff8 PYSEC-2023-260 |
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack. |
Affected by 54 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-an1e-3jdw-7yaw
Aliases: BIT-mlflow-2023-4033 CVE-2023-4033 GHSA-ffw3-6378-cqgp PYSEC-2023-280 |
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. |
Affected by 58 other vulnerabilities. |
|
VCID-ap57-62wx-k7b9
Aliases: CVE-2023-6940 GHSA-hvc6-42vf-jhf8 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system. |
Affected by 44 other vulnerabilities. |
|
VCID-b5eg-nt7k-z7fw
Aliases: CVE-2025-11201 GHSA-5cvj-7rg6-jggj |
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-c7tc-cv45-d7c2
Aliases: CVE-2023-43472 GHSA-wqxf-447m-6f5f |
Information exposure in MLflow An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. |
Affected by 54 other vulnerabilities. |
|
VCID-cu1t-7wnm-y7hk
Aliases: BIT-mlflow-2026-33866 CVE-2026-33866 GHSA-46r5-x6jq-v8g6 PYSEC-2026-94 |
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 |
Affected by 1 other vulnerability. |
|
VCID-d5ea-bnry-nkak
Aliases: CVE-2024-8859 GHSA-4rqf-8pfm-p36r |
MLflow has a Local File Read/Path Traversal in dbfs A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory. |
Affected by 19 other vulnerabilities. |
|
VCID-deyg-v3z9-6fet
Aliases: BIT-mlflow-2024-27132 CVE-2024-27132 GHSA-6749-m5cp-6cg7 PYSEC-2024-240 |
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables. |
Affected by 36 other vulnerabilities. |
|
VCID-ep2z-9m6r-6ubu
Aliases: BIT-mlflow-2023-6709 CVE-2023-6709 GHSA-cxfr-5q3r-2rc2 PYSEC-2023-281 |
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2. |
Affected by 44 other vulnerabilities. |
|
VCID-fsds-g6hy-jud8
Aliases: CVE-2024-1560 GHSA-5mvj-wmgj-7q8c |
mlflow vulnerable to Path Traversal A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831. |
Affected by 36 other vulnerabilities. |
|
VCID-g8qn-qss3-sqcc
Aliases: CVE-2025-11200 GHSA-6xj8-rrqx-r4cv |
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916. |
Affected by 17 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-g9p5-4cqv-qfew
Aliases: BIT-mlflow-2026-33865 CVE-2026-33865 GHSA-fh64-r2vc-xvhr PYSEC-2026-93 |
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-hu7e-n16j-rubw
Aliases: CVE-2026-0545 GHSA-7qhf-v65m-g5f3 |
mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints |
Affected by 1 other vulnerability. |
|
VCID-hz26-bm34-gkfx
Aliases: BIT-mlflow-2025-1474 CVE-2025-1474 GHSA-4rj2-9gcx-5qhx PYSEC-2025-17 |
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0. |
Affected by 18 other vulnerabilities. |
|
VCID-j3ax-7a88-f7ff
Aliases: BIT-mlflow-2024-27133 CVE-2024-27133 GHSA-3v79-q7ph-j75h PYSEC-2024-241 |
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. |
Affected by 36 other vulnerabilities. |
|
VCID-jbuf-3rr2-5kcv
Aliases: BIT-mlflow-2024-2928 CVE-2024-2928 GHSA-j46q-5pxx-8vmw PYSEC-2024-242 |
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks. |
Affected by 33 other vulnerabilities. |
|
VCID-jy2j-vzv6-73gh
Aliases: BIT-mlflow-2023-1177 CVE-2023-1177 GHSA-xg73-94fp-g449 PYSEC-2023-29 |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. |
Affected by 64 other vulnerabilities. |
|
VCID-kx8z-7c3y-kkb5
Aliases: CVE-2024-1593 GHSA-f42m-mvfv-cgw5 |
mlflow vulnerable to Path Traversal A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise. |
Affected by 36 other vulnerabilities. |
|
VCID-ns8z-pwe6-vbby
Aliases: BIT-mlflow-2023-6831 CVE-2023-6831 GHSA-554w-xh4j-8w64 PYSEC-2023-253 |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. |
Affected by 44 other vulnerabilities. |
|
VCID-nzpp-uvn2-97dn
Aliases: CVE-2025-15379 GHSA-r23q-823p-vmf7 |
mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization. |
Affected by 9 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-p21k-ac5p-9kam
Aliases: BIT-mlflow-2023-3765 CVE-2023-3765 GHSA-fmxj-6h9g-6vw3 PYSEC-2023-308 |
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. |
Affected by 60 other vulnerabilities. |
|
VCID-pp8q-xumx-sqax
Aliases: BIT-mlflow-2023-30172 CVE-2023-30172 GHSA-wc6j-5g83-xfm6 PYSEC-2023-70 |
A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. |
Affected by 66 other vulnerabilities. Affected by 66 other vulnerabilities. Affected by 65 other vulnerabilities. |
|
VCID-pzmb-xzk9-s7dy
Aliases: BIT-mlflow-2024-3848 CVE-2024-3848 GHSA-rfqq-wq6w-72jm PYSEC-2024-244 |
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. |
Affected by 32 other vulnerabilities. |
|
VCID-rcqb-2498-77e2
Aliases: BIT-mlflow-2025-52967 CVE-2025-52967 GHSA-wxj7-3fx5-pp9m PYSEC-2025-52 |
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation. |
Affected by 16 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-rkbn-tn99-rucq
Aliases: CVE-2025-14287 GHSA-xch3-2f9x-wh9f |
mlflow: MLflow: Arbitrary command execution via unsanitized container image names |
Affected by 9 other vulnerabilities. |
|
VCID-s76e-s9ut-2bdq
Aliases: BIT-mlflow-2023-6909 CVE-2023-6909 GHSA-5r3q-93q3-f978 PYSEC-2023-252 |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. |
Affected by 44 other vulnerabilities. |
|
VCID-saca-pg4n-xucu
Aliases: BIT-mlflow-2023-6753 CVE-2023-6753 GHSA-v945-r3rc-6fjm PYSEC-2023-309 |
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. |
Affected by 44 other vulnerabilities. |
|
VCID-shfs-2f4g-13dm
Aliases: CVE-2025-15036 GHSA-vhcx-3pq2-4fvc |
mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation |
Affected by 5 other vulnerabilities. |
|
VCID-sktc-6w5h-1qcp
Aliases: CVE-2023-6974 GHSA-59v3-898r-qwhj |
Server-Side Request Forgery (SSRF) A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. |
Affected by 44 other vulnerabilities. |
|
VCID-styh-mxa1-7yea
Aliases: CVE-2023-6015 GHSA-f798-qm4r-23r5 |
MLflow allowed arbitrary files to be PUT onto the server. |
Affected by 57 other vulnerabilities. |
|
VCID-sujn-61j7-mbdb
Aliases: GHSA-83fm-w79m-64r5 GMS-2023-1305 |
Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than **MLflow 2.3.1** may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware). This issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these commands and are not impacted by these vulnerabilities in any way. The vulnerability is very similar to https://nvd.nist.gov/vuln/detail/CVE-2023-1177, and a separate CVE will be published and updated here shortly. This vulnerability has been patched in MLflow 2.3.1, which was released to PyPI on April 27th, 2023. If you are using `mlflow server` or `mlflow ui` with the MLflow Model Registry, we recommend upgrading to MLflow 2.3.1 as soon as possible. If you are using the MLflow open source `mlflow server` or `mlflow ui` commands, we strongly recommend limiting who can access your MLflow Model Registry and MLflow Tracking servers using a cloud VPC, an IP allowlist for inbound requests, authentication / authorization middleware, or another access restriction mechanism of your choosing. If you are using the MLflow open source `mlflow server` or `mlflow ui` commands, we also strongly recommend limiting the remote files to which your MLflow Model Registry and MLflow Tracking servers have access. For example, if your MLflow Model Registry or MLflow Tracking server uses cloud-hosted blob storage for MLflow artifacts, make sure to restrict the scope of your server's cloud credentials such that it can only access files and directories related to MLflow. |
Affected by 60 other vulnerabilities. |
|
VCID-syg7-c85s-4ufu
Aliases: BIT-mlflow-2024-27134 CVE-2024-27134 GHSA-qpgc-w4mg-6v92 PYSEC-2024-224 |
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. |
Affected by 20 other vulnerabilities. |
|
VCID-t8ax-yvuc-eqeq
Aliases: CVE-2024-37059 GHSA-wf7f-8fxf-xfxc |
MLFlow unsafe deserialization Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | There are no reported fixed by versions. |
|
VCID-tbbj-9qan-ubgg
Aliases: CVE-2026-2635 GHSA-gq3w-7jj3-x7gr |
MLflow Use of Default Password Authentication Bypass Vulnerability This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. |
Affected by 9 other vulnerabilities. |
|
VCID-twnx-dt83-nuf3
Aliases: CVE-2025-14279 GHSA-pgqp-8h46-6x4j |
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. |
Affected by 12 other vulnerabilities. |
|
VCID-u94r-pnx1-s7c7
Aliases: BIT-mlflow-2023-2780 CVE-2023-2780 GHSA-wjq3-7jxx-whj9 PYSEC-2023-69 |
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. |
Affected by 63 other vulnerabilities. Affected by 60 other vulnerabilities. |
|
VCID-v436-quyu-1kav
Aliases: CVE-2025-15031 GHSA-fhff-qmm8-h2fp |
mlflow/mlflow: Path Traversal Vulnerability in mlflow/mlflow |
Affected by 5 other vulnerabilities. |
|
VCID-vd8p-48kf-yyg6
Aliases: BIT-mlflow-2024-3573 CVE-2024-3573 GHSA-hq88-wg7q-gp4g PYSEC-2024-243 |
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root. |
Affected by 36 other vulnerabilities. |
|
VCID-wdb6-4eqr-myd2
Aliases: CVE-2024-1594 GHSA-m49c-5c52-6696 |
mlflow vulnerable to Path Traversal A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. |
Affected by 36 other vulnerabilities. |
|
VCID-wp3u-ssnj-tyh8
Aliases: CVE-2026-0596 GHSA-rvhj-8chj-8v3c |
Mlflow: Command Injection when serving models with enable_mlserver=True A command injection vulnerability exists in Mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users. |
Affected by 5 other vulnerabilities. |
|
VCID-wwe2-hxs5-t7eq
Aliases: BIT-mlflow-2024-0520 CVE-2024-0520 GHSA-5q6c-ffvg-xcm9 PYSEC-2024-239 |
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0. |
Affected by 54 other vulnerabilities. |
|
VCID-y8ef-pg1n-mfey
Aliases: CVE-2024-3099 GHSA-8f8q-q2j7-7j2m |
Undefined Behavior in mlflow A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts. |
Affected by 33 other vulnerabilities. |
|
VCID-yaf9-1m7s-efak
Aliases: CVE-2023-6977 GHSA-qg8p-32gr-gh6x |
Path Traversal: '\..\filename' This vulnerability enables malicious users to read sensitive files on the server. |
Affected by 44 other vulnerabilities. |
|
VCID-yseh-dp68-wkfd
Aliases: CVE-2024-1483 GHSA-f82r-jj5r-6g97 |
mlflow Path Traversal vulnerability A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers. |
Affected by 36 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-zceu-rb9t-wffu
Aliases: CVE-2023-6975 GHSA-hh8p-p8mp-gqhm |
Path Traversal: '\..\filename' A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. |
Affected by 44 other vulnerabilities. |
|
VCID-zykc-8ayp-cba5
Aliases: CVE-2023-6976 GHSA-wv8q-4f85-2p8p |
Unrestricted Upload of File with Dangerous Type This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. |
Affected by 44 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||