Lfprojects

Mlflow

77 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.86%
  • Veröffentlicht 16.04.2024 00:15:08
  • Zuletzt bearbeitet 03.02.2025 15:18:54

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` ...

Exploit
  • EPSS 0.86%
  • Veröffentlicht 16.04.2024 00:15:08
  • Zuletzt bearbeitet 03.02.2025 15:14:41

A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a ...

Exploit
  • EPSS 2.72%
  • Veröffentlicht 16.04.2024 00:15:08
  • Zuletzt bearbeitet 03.02.2025 15:02:46

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a l...

Exploit
  • EPSS 0.65%
  • Veröffentlicht 23.02.2024 22:15:55
  • Zuletzt bearbeitet 22.01.2025 13:46:56

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset t...

Exploit
  • EPSS 0.87%
  • Veröffentlicht 23.02.2024 22:15:55
  • Zuletzt bearbeitet 22.01.2025 14:15:26

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables...

Exploit
  • EPSS 2.01%
  • Veröffentlicht 20.12.2023 06:15:45
  • Zuletzt bearbeitet 21.11.2024 08:44:57

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

Exploit
  • EPSS 1.51%
  • Veröffentlicht 20.12.2023 06:15:45
  • Zuletzt bearbeitet 21.11.2024 08:44:57

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

Exploit
  • EPSS 1.01%
  • Veröffentlicht 20.12.2023 06:15:45
  • Zuletzt bearbeitet 21.11.2024 08:44:57

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

Exploit
  • EPSS 3.92%
  • Veröffentlicht 20.12.2023 06:15:45
  • Zuletzt bearbeitet 21.11.2024 08:44:57

This vulnerability enables malicious users to read sensitive files on the server.

  • EPSS 1.22%
  • Veröffentlicht 19.12.2023 02:15:45
  • Zuletzt bearbeitet 21.11.2024 08:44:52

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.