Open mend-for-github-com[bot] opened 4 months ago
mend-for-github-com[bot]
commented
4 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
4 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
MLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-37061
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsRemote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
Publish Date: 2024-06-04
URL: CVE-2024-37061
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37061
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37060
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
Publish Date: 2024-06-04
URL: CVE-2024-37060
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37060
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37059
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37059
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37059
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37058
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37058
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2024-37057
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37057
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37057
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37056
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37056
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37056
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37055
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37055
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37055
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37054
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37054
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37054
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37053
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37053
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37053
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-37052
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsDeserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
Publish Date: 2024-06-04
URL: CVE-2024-37052
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-37052
Release Date: 2024-06-04
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1560
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831.
Publish Date: 2024-04-16
URL: CVE-2024-1560
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1560
Release Date: 2024-04-16
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-3848
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.
Publish Date: 2024-05-16
URL: CVE-2024-3848
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3848
Release Date: 2024-05-16
Fix Resolution: 2.11.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-2928
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.
Publish Date: 2024-06-06
URL: CVE-2024-2928
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-2928
Release Date: 2024-06-06
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1594
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.
Publish Date: 2024-04-16
URL: CVE-2024-1594
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1594
Release Date: 2024-04-16
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1593
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.
Publish Date: 2024-04-16
URL: CVE-2024-1593
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1593
Release Date: 2024-04-16
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1558
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler.
Publish Date: 2024-04-16
URL: CVE-2024-1558
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1558
Release Date: 2024-04-16
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1483
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.
Publish Date: 2024-04-16
URL: CVE-2024-1483
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1483
Release Date: 2024-04-16
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-3099
### Vulnerable Library - mlflow-2.10.2-py3-none-any.whlMLflow is an open source platform for the complete machine learning lifecycle
Library home page: https://files.pythonhosted.org/packages/ce/d4/756d5cd1304fbbaac8624ce93cedba804237586d69c17ac1cdaf6daefd52/mlflow-2.10.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **mlflow-2.10.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a
Found in base branch: main
### Vulnerability DetailsA vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.
Publish Date: 2024-06-06
URL: CVE-2024-3099
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/8d96374a-ce8d-480e-9cb0-0a7e5165c24a
Release Date: 2024-06-06
Fix Resolution: 2.11.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.