GHSA-x422-6qhv-p29g

Source

https://github.com/advisories/GHSA-x422-6qhv-p29g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-x422-6qhv-p29g/GHSA-x422-6qhv-p29g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x422-6qhv-p29g

Aliases

Published

2023-04-28T00:30:29Z

Modified

2024-09-25T18:59:29.424500Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L CVSS Calculator

Summary

Relative path traversal in mlflow

Details

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

Database specific

{
    "nvd_published_at": "2023-04-28T00:15:08Z",
    "cwe_ids": [
        "CWE-23"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-01T13:43:17Z"
}

References

Affected packages

PyPI / mlflow

Package

Name: mlflow; View open source insights on deps.dev
Purl: pkg:pypi/mlflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1

Affected versions

0.*

0.0.1

0.1.0

0.2.0

0.2.1

0.3.0

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2

0.6.0

0.7.0

0.8.0

0.8.1

0.8.2

0.9.0

0.9.0.1

0.9.1

1.*

1.0.0

1.1.0

1.1.1.dev0

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.7.2

1.8.0

1.9.0

1.9.1

1.10.0

1.11.0

1.12.0

1.12.1

1.13

1.13.1

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.20.0

1.20.1

1.20.2

1.21.0

1.22.0

1.23.0

1.23.1

1.24.0

1.25.0

1.25.1

1.26.0

1.26.1

1.27.0

1.28.0

1.29.0

1.30.0

1.30.1

2.*

2.0.0rc0

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

Ecosystem specific

{
    "affected_functions": [
        "mlflow.server.handlers._validate_non_local_source_contains_relative_paths",
        "mlflow.server.handlers._validate_source"
    ]
}