Lfprojects: Security Vulnerabilities
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
CVSS Score
7.5
EPSS Score
0.007
Published
2024-02-23
cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in `cdo-local-uuid` at version `0.4.0`, and in `case-utils` in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`. The vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`.
CVSS Score
2.2
EPSS Score
0.004
Published
2024-01-11
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.
CVSS Score
8.6
EPSS Score
0.015
Published
2023-12-20
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
CVSS Score
9.8
EPSS Score
0.02
Published
2023-12-20
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
CVSS Score
8.8
EPSS Score
0.01
Published
2023-12-20
This vulnerability enables malicious users to read sensitive files on the server.
CVSS Score
10.0
EPSS Score
0.039
Published
2023-12-20
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
CVSS Score
9.0
EPSS Score
0.012
Published
2023-12-19
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
7.5
EPSS Score
0.897
Published
2023-12-18
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
8.1
EPSS Score
0.033
Published
2023-12-15
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
CVSS Score
9.6
EPSS Score
0.011
Published
2023-12-13