CVE-2024-6838
- EPSS 0.62%
- Veröffentlicht 20.03.2025 10:09:11
- Zuletzt bearbeitet 01.04.2025 20:33:56
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become...
- EPSS 0.12%
- Veröffentlicht 25.11.2024 14:15:06
- Zuletzt bearbeitet 03.02.2025 15:05:50
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_ud...
CVE-2024-3099
- EPSS 0.44%
- Veröffentlicht 06.06.2024 19:15:59
- Zuletzt bearbeitet 21.11.2024 09:28:53
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended mod...
CVE-2024-2928
- EPSS 21.85%
- Veröffentlicht 06.06.2024 19:15:55
- Zuletzt bearbeitet 21.11.2024 09:10:51
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory tr...
CVE-2024-0520
- EPSS 2.38%
- Veröffentlicht 06.06.2024 19:15:51
- Zuletzt bearbeitet 15.10.2025 13:15:33
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when ...
CVE-2024-37058
- EPSS 0.62%
- Veröffentlicht 04.06.2024 12:15:12
- Zuletzt bearbeitet 03.02.2025 14:46:16
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
CVE-2024-37061
- EPSS 0.88%
- Veröffentlicht 04.06.2024 12:15:12
- Zuletzt bearbeitet 03.02.2025 14:48:37
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
CVE-2024-37060
- EPSS 0.77%
- Veröffentlicht 04.06.2024 12:15:12
- Zuletzt bearbeitet 03.02.2025 14:46:31
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
CVE-2024-37059
- EPSS 0.62%
- Veröffentlicht 04.06.2024 12:15:12
- Zuletzt bearbeitet 03.02.2025 14:46:23
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
CVE-2024-37057
- EPSS 0.62%
- Veröffentlicht 04.06.2024 12:15:11
- Zuletzt bearbeitet 03.02.2025 14:45:23
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.