Lfprojects: >> Mlflow >> 1.25.0 Security Vulnerabilities
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-02-23
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.
CVSS Score
8.6
EPSS Score
0.026
Published
2023-12-20
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
CVSS Score
9.8
EPSS Score
0.015
Published
2023-12-20
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-12-20
This vulnerability enables malicious users to read sensitive files on the server.
CVSS Score
10.0
EPSS Score
0.849
Published
2023-12-20
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
CVSS Score
9.0
EPSS Score
0.001
Published
2023-12-19
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
7.5
EPSS Score
0.862
Published
2023-12-18
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
8.1
EPSS Score
0.804
Published
2023-12-15
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
9.6
EPSS Score
0.025
Published
2023-12-13
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
10.0
EPSS Score
0.002
Published
2023-12-12