mlflow@2.12.1 vulnerabilities

MLflow is an open source platform for the complete machine learning lifecycle

latest version

2.12.1
first published

6 years ago
latest version published

20 days ago
licenses detected
- Apache-2.0
  [0,)
View mlflow package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the mlflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Path Traversal mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of user-supplied paths in the artifact deletion functionality. An attacker can delete arbitrary directories on the server's filesystem by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function. This vulnerability arises from an additional unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to adequately prevent path traversal sequences. How to fix Path Traversal? There is no fixed version for `mlflow`.	[0,)

Path Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of user-supplied paths in the artifact deletion functionality. An attacker can delete arbitrary directories on the server's filesystem by exploiting the double decoding process in the _delete_artifact_mlflow_artifacts handler and local_file_uri_to_path function. This vulnerability arises from an additional unquote operation in the delete_artifacts function of local_artifact_repo.py, which fails to adequately prevent path traversal sequences.

How to fix Path Traversal?

There is no fixed version for mlflow.

[0,)

Go back to all versions of this package

mlflow@2.12.1 vulnerabilities

MLflow is an open source platform for the complete machine learning lifecycle

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities