Lfprojects: Security Vulnerabilities
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
10.0
EPSS Score
0.009
Published
2023-12-12
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.
CVSS Score
6.5
EPSS Score
0.016
Published
2023-12-07
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
CVSS Score
7.5
EPSS Score
0.366
Published
2023-12-05
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
CVSS Score
9.1
EPSS Score
0.012
Published
2023-11-16
MLflow allowed arbitrary files to be PUT onto the server.
CVSS Score
10.0
EPSS Score
0.044
Published
2023-11-16
An attacker can overwrite any file on the server hosting MLflow without any authentication.
CVSS Score
10.0
EPSS Score
0.479
Published
2023-11-16
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
CVSS Score
8.8
EPSS Score
0.012
Published
2023-08-01
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-07-25
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
CVSS Score
10.0
EPSS Score
0.707
Published
2023-07-19
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.
CVSS Score
9.8
EPSS Score
0.063
Published
2023-05-17