GHSA-cv6c-7963-wxcg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cv6c-7963-wxcg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-cv6c-7963-wxcg/GHSA-cv6c-7963-wxcg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-cv6c-7963-wxcg
- Aliases
-
- BIT-mlflow-2024-37060
- CGA-cpj6-2jgp-w82g
- CVE-2024-37060
- Published
- 2024-06-04T12:31:05Z
- Modified
- 2024-06-26T05:37:58.239737Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- MLFlow unsafe deserialization
- Details
-
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
- Database specific
{ "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "nvd_published_at": "2024-06-04T12:15:12Z", "github_reviewed_at": "2024-06-05T13:22:39Z", "severity": "HIGH" }- References
Affected packages
PyPI / mlflow
Package
- Name
- mlflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlflow
Affected versions
1.*
1.27.0
1.28.0
1.29.0
1.30.0
1.30.1
2.*
2.0.0rc0
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0rc0
2.14.0
2.14.1