mlflow@1.6.0 vulnerabilities
MLflow is an open source platform for the complete machine learning lifecycle
-
latest version
2.12.1
-
first published
6 years ago
-
latest version published
22 days ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the mlflow package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to improper validation of the How to fix Path Traversal? Upgrade |
[,2.12.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of user-supplied paths in the artifact deletion functionality. An attacker can delete arbitrary directories on the server's filesystem by exploiting the double decoding process in the How to fix Path Traversal? There is no fixed version for |
[0,)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to insufficient validation of user-supplied input in the server's handlers. An attacker can access arbitrary files on the server by crafting a series of HTTP POST requests with specially crafted Note: This vulnerability is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. How to fix Path Traversal? Upgrade |
[,2.11.3)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to improper handling of URL parameters. By smuggling path traversal sequences using the How to fix Path Traversal? Upgrade |
[,2.11.3)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to the handling of the Note: This vulnerability is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. How to fix Path Traversal? Upgrade |
[,2.12.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the How to fix Path Traversal? Upgrade |
[,2.10.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in some dataframe fields. An attacker can execute code by convincing a user to run a recipe in a Jupyter Notebook with a malicious dataset. How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.10.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Arbitrary Code Injection via the How to fix Arbitrary Code Injection? Upgrade |
[,2.10.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Access Control via a specially crafted path input that exploits improper neutralization of special elements through the FTP model. An attacker can gain unauthorized read or write access to files on the server by submitting a path with directory traversal sequences. How to fix Improper Access Control? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal allowing arbitrary file writes on the server, by including a How to fix Directory Traversal? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Arbitrary File Read due to a bypass of the fix for CVE-2023-2780. This allows attackers to trick the How to fix Arbitrary File Read? Upgrade |
[,2.10.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) by exploiting the redirect behavior of the default How to fix Server-Side Request Forgery (SSRF)? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection because of an invalid fix for CVE-2023-6709. Attackers can gain full command execution on the victim system, with only one user interaction. How to fix Command Injection? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal when processing of a specially crafted file path that includes directory traversal sequences ( How to fix Directory Traversal? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal when passing crafted input to the file handling mechanism. It is possible to bypass the Note: An attacker can remove any file on the victim server (depending on user's rights) by exploiting this vulnerability. How to fix Directory Traversal? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal by loading datasets on Windows. Exploiting this vulnerability is possible when the filename is controlled by the path of the URL on Windows then, it is possible to write files outside of the current working directory using backslash '' instead of front slash '/' as How to fix Path Traversal? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine. An attacker can execute arbitrary code or commands by injecting malicious input into the template system. Note: In order for this vulnerability to be exploited, the user must load a recipe configuration that he found on the internet. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade |
[,2.9.2)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). An attacker can inject code into the How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')? Upgrade |
[,2.9.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to OS Command Injection through a How to fix OS Command Injection? Upgrade |
[,2.9.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings due to incomplete fix for CVE-2023-1177. A bypass for in both mlflow server and mlflow ui was discovered to go around MLFlow's implementation of basic authentication. How to fix Use of GET Request Method With Sensitive Query Strings? Upgrade |
[,2.8.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory due to checks bypass in Note: This issue is only exploitable on Windows OS. How to fix Improper Limitation of a Pathname to a Restricted Directory? Upgrade |
[,2.8.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection due to not properly escaping the arguments used by the How to fix Command Injection? Upgrade |
[0,2.6.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the function How to fix Directory Traversal? Upgrade |
[,2.4.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Arbitrary File Read due to a bypass of the fix for CVE-2023-1177. This allows attackers to download arbitrary files unrelated to MLflow from the host server, including any files stored in remote locations to which the host server has access. How to fix Arbitrary File Read? Upgrade |
[,2.3.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal due to improper validation of the How to fix Directory Traversal? Upgrade |
[,2.0.0rc0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Relative Path Traversal due to allowing the ability to provide relative paths in registered model sources. Note: This issue only affects users and integrations that run the How to fix Relative Path Traversal? Upgrade |
[,2.3.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Access Restriction Bypass. Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the This issue only affects users and integrations that run the How to fix Access Restriction Bypass? Upgrade |
[,2.3.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Relative Path Traversal such that by creating a model version through the REST API endpoint How to fix Relative Path Traversal? Upgrade |
[,2.3.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Access Restriction Bypass via the How to fix Access Restriction Bypass? Upgrade |
[,2.2.0)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Access Control which enables malicious actors to download arbitrary files unrelated to MLflow from the host server, including any files stored in remote locations to which the host server has access.
This issue only affects users and integrations that run the How to fix Improper Access Control? Upgrade |
[,2.2.1)
|
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Insecure Temporary File which is using the deprecated function How to fix Insecure Temporary File? Upgrade |
[,1.23.1)
|