GHSA-pqcv-qw2r-r859
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pqcv-qw2r-r859
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-pqcv-qw2r-r859/GHSA-pqcv-qw2r-r859.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pqcv-qw2r-r859
- Aliases
-
- BIT-mlflow-2024-37061
- CVE-2024-37061
- Related
- Published
- 2024-06-04T12:31:05Z
- Modified
- 2024-07-15T22:27:33.746144Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- MLFlow improper input validation
- Details
-
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run due to unfiltered input.
- Database specific
{ "nvd_published_at": "2024-06-04T12:15:12Z", "cwe_ids": [ "CWE-20", "CWE-94" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-05T13:25:35Z" }- References
Affected packages
PyPI / mlflow
Package
- Name
- mlflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlflow
Affected versions
1.*
1.11.0
1.12.0
1.12.1
1.13
1.13.1
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.20.0
1.20.1
1.20.2
1.21.0
1.22.0
1.23.0
1.23.1
1.24.0
1.25.0
1.25.1
1.26.0
1.26.1
1.27.0
1.28.0
1.29.0
1.30.0
1.30.1
2.*
2.0.0rc0
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1