mlflow@2.22.3 vulnerabilities

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Command Injection via the --container parameter. An attacker can execute unauthorized commands by supplying specially crafted input that is not properly sanitized.

Note:

This is only exploitable if the attacker has shell access to the system.

Upgrade mlflow to version 3.8.0rc0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal via the '_find_run_rootfunction in theFileStoretracking component. An attacker can access arbitrary files on the server by planting a maliciousmeta.yaml` in an artifact folder to redirect artifact URI resolution to sensitive directories.

Upgrade mlflow to version 3.8.0rc0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Use of Default Credentials in the basic_auth.ini file. An attacker can gain unauthorized administrative access and execute arbitrary code if the default admin credentials have not been changed.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions in the get_or_create_tmp_dir() function in file_utils.py. This enables an attacker who can write to /tmp to cause the execution of arbitrary .py files during environment setup.

Upgrade mlflow to version 3.4.0rc0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Origin Validation Error in the REST server, accessible via the experiments/search endpoint. An attacker can access, modify, or delete sensitive experiment data by tricking a user into visiting a malicious website that issues unauthorized requests to REST endpoints.

Upgrade mlflow to version 3.5.0rc0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Symlink Attack due to insufficient validation that artifact paths (after following symlinks) remain inside the configured local artifact directory. An attacker can create an artifact that is a symbolic link pointing to a file outside of the designated artifact repository.

Upgrade mlflow to version 3.8.0rc0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to SQL Injection due to unsafe construction of SQL statements in the get_execute_function_sql_stmt function within mlflow/gateway/uc_function_utils.py. An attacker can execute arbitrary SQL statements by providing a maliciously crafted Unity Catalog function name or parameter name that is directly interpolated into the SQL query without proper quoting or escaping.

Note: Because function names should not be susceptible to attacker influence, exploitation is unlikely; however, the maintainer considered exploitation possible; see comment

Upgrade mlflow to version 3.8.0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal via improper validation of user-supplied paths in the model file paths. An attacker can execute arbitrary code in the context of the service account by supplying crafted path input to perform unauthorized file operations.

Upgrade mlflow to version 3.0.0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the gateway_path parameter in the gateway_proxy_handler process. An attacker can interact with unintended internal resources by supplying crafted input to bypass access controls.

Upgrade mlflow to version 3.0.0 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handlers.py, which is exploitable over the /graphql endpoint. An attacker can occupy all available workers and make the server unresponsive to other connections by sending large batches of GraphQL queries that repeatedly request all runs from a given experiment and stay in a pending state. Experiments configured to have a large number of runs are vulnerable.

Upgrade mlflow to version 3.1.1 or higher.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load function in the BaseCard class within the recipes/cards/__init__.py file. An attacker can execute arbitrary code on the target system by creating an MLProject Recipe containing a malicious pickle file (e.g. pickle.pkl) and a python script that calls BaseCard.load(pickle.pkl). The pickle file will be deserialized when the project is run.

Note:

If you are not running MLflow on a publicly accessible server, this vulnerability won't apply to you.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the mlflow/pytorch/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the _run_entry_point function in the projects/backend/local.py file. An attacker can execute arbitrary code on the victim's system by submitting a maliciously crafted MLproject file.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_from_pickle function in the mlflow/langchain/utils.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_custom_objects function in the mlflow/tensorflow/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the mlflow/lightgbm/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the pmdarima/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model_from_local_file function in the sklearn/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model, which will then be deserialized when the model is loaded.

There is no fixed version for mlflow.