{"url":"http://public2.vulnerablecode.io/api/packages/74951?format=json","purl":"pkg:pypi/mlflow@0.7","type":"pypi","namespace":"","name":"mlflow","version":"0.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.11.0rc0","latest_non_vulnerable_version":"3.11.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218370?format=json","vulnerability_id":"VCID-2hc7-ant5-qkcu","summary":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6831","reference_id":"","reference_type":"","scores":[{"value":"0.73982","scoring_system":"epss","scoring_elements":"0.98847","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6831"},{"reference_url":"https://github.com/advisories/GHSA-554w-xh4j-8w64","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-554w-xh4j-8w64"},{"reference_url":"https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}],"url":"https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1"},{"reference_url":"https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}],"url":"https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30377?format=json","purl":"pkg:pypi/mlflow@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6dra-6783-pqg1"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-7hh6-6gv3-tyeg"},{"vulnerability":"VCID-8gmy-kvc8-9fh6"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-sts1-rpu2-y7dv"},{"vulnerability":"VCID-tc68-59mt-4qh7"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2"}],"aliases":["BIT-mlflow-2023-6831","CVE-2023-6831","GHSA-554w-xh4j-8w64","PYSEC-2023-253"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2hc7-ant5-qkcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58588?format=json","vulnerability_id":"VCID-2pjc-1kqa-1ygp","summary":"A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0520","reference_id":"","reference_type":"","scores":[{"value":"0.04877","scoring_system":"epss","scoring_elements":"0.89799","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0520"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-239.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-239.yaml"},{"reference_url":"https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d","reference_id":"400c226953b4568f4361bc0a0c223511652c2b9d","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-06T20:17:45Z/"}],"url":"https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d"},{"reference_url":"https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2a26dbc","reference_id":"93e470d7-b6f0-409b-af63-49d3e2a26dbc","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-06T20:17:45Z/"}],"url":"https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2a26dbc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0520","reference_id":"CVE-2024-0520","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0520"},{"reference_url":"https://github.com/advisories/GHSA-5q6c-ffvg-xcm9","reference_id":"GHSA-5q6c-ffvg-xcm9","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5q6c-ffvg-xcm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32031?format=json","purl":"pkg:pypi/mlflow@2.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.0"}],"aliases":["BIT-mlflow-2024-0520","CVE-2024-0520","GHSA-5q6c-ffvg-xcm9","PYSEC-2024-239"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2pjc-1kqa-1ygp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218359?format=json","vulnerability_id":"VCID-2ujt-4vpx-6khr","summary":"A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6568","reference_id":"","reference_type":"","scores":[{"value":"0.33351","scoring_system":"epss","scoring_elements":"0.97028","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6568"},{"reference_url":"https://github.com/advisories/GHSA-vwhf-3v6x-wff8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://github.com/advisories/GHSA-vwhf-3v6x-wff8"},{"reference_url":"https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1"},{"reference_url":"https://huntr.com/bounties/816bdaaa-8153-4732-951e-b0d92fddf709","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://huntr.com/bounties/816bdaaa-8153-4732-951e-b0d92fddf709"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81186?format=json","purl":"pkg:pypi/mlflow@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.1"}],"aliases":["BIT-mlflow-2023-6568","CVE-2023-6568","GHSA-vwhf-3v6x-wff8","PYSEC-2023-260"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ujt-4vpx-6khr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218371?format=json","vulnerability_id":"VCID-34mw-41t1-m7a9","summary":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6909","reference_id":"","reference_type":"","scores":[{"value":"0.85715","scoring_system":"epss","scoring_elements":"0.99395","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6909"},{"reference_url":"https://github.com/advisories/GHSA-5r3q-93q3-f978","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://github.com/advisories/GHSA-5r3q-93q3-f978"},{"reference_url":"https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1"},{"reference_url":"https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30377?format=json","purl":"pkg:pypi/mlflow@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6dra-6783-pqg1"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-7hh6-6gv3-tyeg"},{"vulnerability":"VCID-8gmy-kvc8-9fh6"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-sts1-rpu2-y7dv"},{"vulnerability":"VCID-tc68-59mt-4qh7"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2"}],"aliases":["BIT-mlflow-2023-6909","CVE-2023-6909","GHSA-5r3q-93q3-f978","PYSEC-2023-252"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-34mw-41t1-m7a9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/144388?format=json","vulnerability_id":"VCID-37nb-rkj6-e7h9","summary":"Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1176","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36338","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1176"},{"reference_url":"https://github.com/advisories/GHSA-wp72-7hj9-5265","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wp72-7hj9-5265"},{"reference_url":"https://github.com/mlflow/mlflow/commit/63ef72aa4334a6473ce7f889573c92fcae0b3c0d","reference_id":"63ef72aa4334a6473ce7f889573c92fcae0b3c0d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-19T20:57:52Z/"}],"url":"https://github.com/mlflow/mlflow/commit/63ef72aa4334a6473ce7f889573c92fcae0b3c0d"},{"reference_url":"https://huntr.dev/bounties/ae92f814-6a08-435c-8445-eec0ef4f1085","reference_id":"ae92f814-6a08-435c-8445-eec0ef4f1085","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-19T20:57:52Z/"}],"url":"https://huntr.dev/bounties/ae92f814-6a08-435c-8445-eec0ef4f1085"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74966?format=json","purl":"pkg:pypi/mlflow@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2pjc-1kqa-1ygp"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-n8p5-749r-rqdu"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-r1na-1j6c-vffy"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-vtmk-7xbe-afbe"},{"vulnerability":"VCID-wxeg-ygz4-gqbp"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.2.2"}],"aliases":["BIT-mlflow-2023-1176","CVE-2023-1176","GHSA-wp72-7hj9-5265","PYSEC-2023-28"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37nb-rkj6-e7h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64135?format=json","vulnerability_id":"VCID-7fb9-mjjp-xfax","summary":"A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3848","reference_id":"","reference_type":"","scores":[{"value":"0.76102","scoring_system":"epss","scoring_elements":"0.98943","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3848"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-244.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-244.yaml"},{"reference_url":"https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610","reference_id":"8d5aadaa-522f-4839-b41b-d7da362dd610","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T13:51:45Z/"}],"url":"https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3848","reference_id":"CVE-2024-3848","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3848"},{"reference_url":"https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8","reference_id":"f8d51e21523238280ebcfdb378612afd7844eca8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T13:51:45Z/"}],"url":"https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8"},{"reference_url":"https://github.com/advisories/GHSA-rfqq-wq6w-72jm","reference_id":"GHSA-rfqq-wq6w-72jm","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfqq-wq6w-72jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30378?format=json","purl":"pkg:pypi/mlflow@2.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-u8jf-pjxj-8fey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.12.1"}],"aliases":["BIT-mlflow-2024-3848","CVE-2024-3848","GHSA-rfqq-wq6w-72jm","PYSEC-2024-244"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7fb9-mjjp-xfax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/104993?format=json","vulnerability_id":"VCID-97xj-trtn-g7ah","summary":"gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52967","reference_id":"","reference_type":"","scores":[{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48243","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52967"},{"reference_url":"https://github.com/advisories/GHSA-wxj7-3fx5-pp9m","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wxj7-3fx5-pp9m"},{"reference_url":"https://github.com/mlflow/mlflow/issues/15944","reference_id":"15944","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-23T20:12:42Z/"}],"url":"https://github.com/mlflow/mlflow/issues/15944"},{"reference_url":"https://github.com/mlflow/mlflow/pull/15970","reference_id":"15970","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-23T20:12:42Z/"}],"url":"https://github.com/mlflow/mlflow/pull/15970"},{"reference_url":"https://github.com/mlflow/mlflow/releases/tag/v3.1.0","reference_id":"v3.1.0","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-23T20:12:42Z/"}],"url":"https://github.com/mlflow/mlflow/releases/tag/v3.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/88255?format=json","purl":"pkg:pypi/mlflow@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@3.1.0"}],"aliases":["BIT-mlflow-2025-52967","CVE-2025-52967","GHSA-wxj7-3fx5-pp9m","PYSEC-2025-52"],"risk_score":2.6,"exploitability":"0.5","weighted_severity":"5.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-97xj-trtn-g7ah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/142880?format=json","vulnerability_id":"VCID-9prk-73hp-e3dc","summary":"Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6709","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49853","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6709"},{"reference_url":"https://github.com/advisories/GHSA-cxfr-5q3r-2rc2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-cxfr-5q3r-2rc2"},{"reference_url":"https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625","reference_id":"432b8ccf27fd3a76df4ba79bb1bec62118a85625","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T19:52:15Z/"}],"url":"https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625"},{"reference_url":"https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d","reference_id":"9e4cc07b-6fff-421b-89bd-9445ef61d34d","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T19:52:15Z/"}],"url":"https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30377?format=json","purl":"pkg:pypi/mlflow@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6dra-6783-pqg1"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-7hh6-6gv3-tyeg"},{"vulnerability":"VCID-8gmy-kvc8-9fh6"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-sts1-rpu2-y7dv"},{"vulnerability":"VCID-tc68-59mt-4qh7"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2"}],"aliases":["BIT-mlflow-2023-6709","CVE-2023-6709","GHSA-cxfr-5q3r-2rc2","PYSEC-2023-281"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9prk-73hp-e3dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64352?format=json","vulnerability_id":"VCID-m4yj-ast4-e3eh","summary":"mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3573","reference_id":"","reference_type":"","scores":[{"value":"0.00199","scoring_system":"epss","scoring_elements":"0.41901","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3573"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-243.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-243.yaml"},{"reference_url":"https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc","reference_id":"438a450714a3ca06285eeea34bdc6cf79d7f6cbc","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:40:10Z/"}],"url":"https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc"},{"reference_url":"https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c","reference_id":"8ea058a7-4ef8-4baf-9198-bc0147fc543c","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:40:10Z/"}],"url":"https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3573","reference_id":"CVE-2024-3573","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3573"},{"reference_url":"https://github.com/advisories/GHSA-hq88-wg7q-gp4g","reference_id":"GHSA-hq88-wg7q-gp4g","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hq88-wg7q-gp4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29291?format=json","purl":"pkg:pypi/mlflow@2.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-u8jf-pjxj-8fey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.10.0"}],"aliases":["BIT-mlflow-2024-3573","CVE-2024-3573","GHSA-hq88-wg7q-gp4g","PYSEC-2024-243"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m4yj-ast4-e3eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/151163?format=json","vulnerability_id":"VCID-n8p5-749r-rqdu","summary":"Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2356","reference_id":"","reference_type":"","scores":[{"value":"0.89021","scoring_system":"epss","scoring_elements":"0.99548","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2356"},{"reference_url":"https://github.com/advisories/GHSA-x422-6qhv-p29g","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x422-6qhv-p29g"},{"reference_url":"https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896","reference_id":"7b5d130d-38eb-4133-8c7d-0dfc9a9d9896","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-30T20:48:24Z/"}],"url":"https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896"},{"reference_url":"https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342","reference_id":"f73147496e05c09a8b83d95fb4f1bf86696c6342","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-30T20:48:24Z/"}],"url":"https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75834?format=json","purl":"pkg:pypi/mlflow@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2pjc-1kqa-1ygp"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-r1na-1j6c-vffy"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-wxeg-ygz4-gqbp"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1"}],"aliases":["BIT-mlflow-2023-2356","CVE-2023-2356","GHSA-x422-6qhv-p29g","PYSEC-2023-68"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n8p5-749r-rqdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/151300?format=json","vulnerability_id":"VCID-r1na-1j6c-vffy","summary":"Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-3765","reference_id":"","reference_type":"","scores":[{"value":"0.91453","scoring_system":"epss","scoring_elements":"0.99682","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-3765"},{"reference_url":"https://github.com/advisories/GHSA-fmxj-6h9g-6vw3","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-fmxj-6h9g-6vw3"},{"reference_url":"https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76","reference_id":"4be5fd63-8a0a-490d-9ee1-f33dc768ed76","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-24T18:17:22Z/"}],"url":"https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76"},{"reference_url":"https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b","reference_id":"6dde93758d42455cb90ef324407919ed67668b9b","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-24T18:17:22Z/"}],"url":"https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31900?format=json","purl":"pkg:pypi/mlflow@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2pjc-1kqa-1ygp"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-3t2e-xs79-u7cd"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-wxeg-ygz4-gqbp"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.5.0"}],"aliases":["BIT-mlflow-2023-3765","CVE-2023-3765","GHSA-fmxj-6h9g-6vw3","PYSEC-2023-308"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r1na-1j6c-vffy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/151102?format=json","vulnerability_id":"VCID-vtmk-7xbe-afbe","summary":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2780","reference_id":"","reference_type":"","scores":[{"value":"0.86137","scoring_system":"epss","scoring_elements":"0.99416","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2780"},{"reference_url":"https://github.com/advisories/GHSA-wjq3-7jxx-whj9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wjq3-7jxx-whj9"},{"reference_url":"https://huntr.dev/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689","reference_id":"b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T18:03:46Z/"}],"url":"https://huntr.dev/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689"},{"reference_url":"https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857","reference_id":"fae77a525dd908c56d6204a4cef1c1c75b4e9857","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T18:03:46Z/"}],"url":"https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75834?format=json","purl":"pkg:pypi/mlflow@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2pjc-1kqa-1ygp"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-r1na-1j6c-vffy"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-wxeg-ygz4-gqbp"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.3.1"}],"aliases":["BIT-mlflow-2023-2780","CVE-2023-2780","GHSA-wjq3-7jxx-whj9","PYSEC-2023-69"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vtmk-7xbe-afbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/140303?format=json","vulnerability_id":"VCID-wxeg-ygz4-gqbp","summary":"OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4033","reference_id":"","reference_type":"","scores":[{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39705","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4033"},{"reference_url":"https://github.com/advisories/GHSA-ffw3-6378-cqgp","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-ffw3-6378-cqgp"},{"reference_url":"https://huntr.dev/bounties/5312d6f8-67a5-4607-bd47-5e19966fa321","reference_id":"5312d6f8-67a5-4607-bd47-5e19966fa321","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-15T14:09:29Z/"}],"url":"https://huntr.dev/bounties/5312d6f8-67a5-4607-bd47-5e19966fa321"},{"reference_url":"https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b","reference_id":"6dde93758d42455cb90ef324407919ed67668b9b","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-15T14:09:29Z/"}],"url":"https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77464?format=json","purl":"pkg:pypi/mlflow@2.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-2hc7-ant5-qkcu"},{"vulnerability":"VCID-2pjc-1kqa-1ygp"},{"vulnerability":"VCID-2ujt-4vpx-6khr"},{"vulnerability":"VCID-34mw-41t1-m7a9"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-9prk-73hp-e3dc"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"},{"vulnerability":"VCID-yrt1-6bhw-nkgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.6.0"}],"aliases":["BIT-mlflow-2023-4033","CVE-2023-4033","GHSA-ffw3-6378-cqgp","PYSEC-2023-280"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wxeg-ygz4-gqbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/142422?format=json","vulnerability_id":"VCID-yrt1-6bhw-nkgk","summary":"Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6753","reference_id":"","reference_type":"","scores":[{"value":"0.02418","scoring_system":"epss","scoring_elements":"0.85445","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6753"},{"reference_url":"https://github.com/advisories/GHSA-v945-r3rc-6fjm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-v945-r3rc-6fjm"},{"reference_url":"https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4","reference_id":"1c6309f884798fbf56017a3cc808016869ee8de4","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-06T16:29:37Z/"}],"url":"https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4"},{"reference_url":"https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4","reference_id":"b397b83a-527a-47e7-b912-a12a17a6cfb4","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-06T16:29:37Z/"}],"url":"https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30377?format=json","purl":"pkg:pypi/mlflow@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bya-32tr-jfhz"},{"vulnerability":"VCID-6dra-6783-pqg1"},{"vulnerability":"VCID-6mc2-24nz-yqb4"},{"vulnerability":"VCID-7fb9-mjjp-xfax"},{"vulnerability":"VCID-7hh6-6gv3-tyeg"},{"vulnerability":"VCID-8gmy-kvc8-9fh6"},{"vulnerability":"VCID-97xj-trtn-g7ah"},{"vulnerability":"VCID-fxtg-yezw-hfhr"},{"vulnerability":"VCID-kqsy-qu8j-8ugj"},{"vulnerability":"VCID-m4yj-ast4-e3eh"},{"vulnerability":"VCID-p667-62d7-vfgv"},{"vulnerability":"VCID-sts1-rpu2-y7dv"},{"vulnerability":"VCID-tc68-59mt-4qh7"},{"vulnerability":"VCID-tnup-6wcs-pybk"},{"vulnerability":"VCID-ttwk-xeub-ebfy"},{"vulnerability":"VCID-u8jf-pjxj-8fey"},{"vulnerability":"VCID-updk-2xum-9bcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.2"}],"aliases":["BIT-mlflow-2023-6753","CVE-2023-6753","GHSA-v945-r3rc-6fjm","PYSEC-2023-309"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yrt1-6bhw-nkgk"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@0.7"}