Homepage
About Snyk

mlflow@2.12.0 vulnerabilities

MLflow is an open source platform for the complete machine learning lifecycle

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the mlflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Path Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Path Traversal due to improper validation of the source parameter within the _create_model_version function. An attacker can gain arbitrary file read access on the server by crafting a source parameter that bypasses the _validate_non_local_source_contains_relative_paths(source) function's checks. This issue stems from the handling of unquoted URL characters and the misuse of the original source value for model version creation, leading to the exposure of sensitive files when interacting with the /model-versions/get-artifact handler.

How to fix Path Traversal?

Upgrade mlflow to version 2.12.1 or higher.

[,2.12.1)
  • H
Path Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of user-supplied paths in the artifact deletion functionality. An attacker can delete arbitrary directories on the server's filesystem by exploiting the double decoding process in the _delete_artifact_mlflow_artifacts handler and local_file_uri_to_path function. This vulnerability arises from an additional unquote operation in the delete_artifacts function of local_artifact_repo.py, which fails to adequately prevent path traversal sequences.

How to fix Path Traversal?

There is no fixed version for mlflow.

[0,)
  • H
Path Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Path Traversal due to the handling of the artifact_location parameter when creating an experiment. An attacker can read arbitrary files on the server in the context of the server's process by using a fragment component # in the artifact location URI.

Note:

This vulnerability is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.

How to fix Path Traversal?

Upgrade mlflow to version 2.12.1 or higher.

[,2.12.1)
Go back to all versions of this package