Lfprojects

Mlflow

55 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2024-3099

Exploit
  • EPSS 0.06%
  • Veröffentlicht 06.06.2024 19:15:59
  • Zuletzt bearbeitet 21.11.2024 09:28:53

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended mod...

7.5

CVE-2024-2928

Exploit
  • EPSS 91.65%
  • Veröffentlicht 06.06.2024 19:15:55
  • Zuletzt bearbeitet 21.11.2024 09:10:51

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory tr...

8.8

CVE-2024-0520

Exploit
  • EPSS 4.88%
  • Veröffentlicht 06.06.2024 19:15:51
  • Zuletzt bearbeitet 15.10.2025 13:15:33

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when ...

8.8

CVE-2024-37061

Exploit
  • EPSS 3.95%
  • Veröffentlicht 04.06.2024 12:15:12
  • Zuletzt bearbeitet 03.02.2025 14:48:37

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.

8.8

CVE-2024-37058

Exploit
  • EPSS 0.4%
  • Veröffentlicht 04.06.2024 12:15:12
  • Zuletzt bearbeitet 03.02.2025 14:46:16

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

8.8

CVE-2024-37059

Exploit
  • EPSS 0.44%
  • Veröffentlicht 04.06.2024 12:15:12
  • Zuletzt bearbeitet 03.02.2025 14:46:23

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

8.8

CVE-2024-37060

Exploit
  • EPSS 0.38%
  • Veröffentlicht 04.06.2024 12:15:12
  • Zuletzt bearbeitet 03.02.2025 14:46:31

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

8.8

CVE-2024-37057

Exploit
  • EPSS 0.44%
  • Veröffentlicht 04.06.2024 12:15:11
  • Zuletzt bearbeitet 03.02.2025 14:45:23

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

8.8

CVE-2024-37056

Exploit
  • EPSS 0.4%
  • Veröffentlicht 04.06.2024 12:15:11
  • Zuletzt bearbeitet 03.02.2025 14:45:07

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

8.8

CVE-2024-37055

Exploit
  • EPSS 0.44%
  • Veröffentlicht 04.06.2024 12:15:11
  • Zuletzt bearbeitet 03.02.2025 14:44:39

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.