📦 Mlflow

This vulnerability allows remote attackers to bypass authentication in MLflow installations due to weak password requirements. Attackers can gain unauthorized access without credentials. All MLflow de...

This vulnerability in MLflow allows attackers to perform Local File Inclusion (LFI) by exploiting improper URI parsing in the 'is_local_uri' function. Attackers can craft malicious model versions with...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MLflow that allows attackers to make unauthorized requests to internal HTTP(s) servers. Attackers could potentially access sens...

This vulnerability allows unauthenticated attackers to create arbitrary user accounts in MLflow deployments, bypassing all authentication requirements. Any organization using MLflow for machine learni...

This vulnerability allows attackers to perform absolute path traversal attacks in MLflow deployments prior to version 2.5.0. Attackers can potentially access arbitrary files on the server filesystem b...

This CVE describes a path traversal vulnerability in MLflow where attackers can use '\..\filename' sequences to access files outside intended directories. It affects MLflow deployments prior to versio...

This vulnerability in MLflow's GraphQL endpoint allows attackers to cause denial of service by sending specially crafted queries that consume excessive server resources. Attackers can tie up all worke...

A Cross-Site Request Forgery vulnerability in MLflow's signup feature allows attackers to create unauthorized accounts by tricking authenticated users into submitting malicious requests. This affects ...

A path traversal vulnerability in MLflow 2.15.1 allows attackers to read arbitrary files when the DBFS service is configured and mounted locally. This occurs because URL query parameters aren't proper...

This vulnerability allows local attackers to escalate privileges on systems running MLflow when the spark_udf() API is called. Attackers can exploit improper directory permissions using a Time-of-Chec...

This CVE allows remote code execution in MLflow versions before 2.9.0 due to command injection vulnerability. Attackers can manipulate file paths when loading datasets from HTTP sources, leading to ar...

This vulnerability in MLflow allows remote code execution when users interact with maliciously uploaded Langchain AgentExecutor models. Attackers can exploit deserialization flaws to run arbitrary cod...

This vulnerability in MLflow allows remote code execution when deserializing untrusted data from malicious Recipes. It affects MLflow versions 1.27.0 and newer, putting users who run untrusted MLflow ...

This vulnerability allows remote code execution through malicious PyFunc models in MLflow. Attackers can upload specially crafted models that execute arbitrary code when users interact with them. Orga...

This vulnerability allows remote code execution through malicious ML models in MLflow. Attackers can upload specially crafted LightGBM scikit-learn models that execute arbitrary code when loaded. Orga...

This vulnerability allows remote code execution through malicious ML models in MLflow. Attackers can upload specially crafted scikit-learn models that execute arbitrary code when loaded. Organizations...

A path traversal vulnerability in MLflow allows attackers to use ';' characters in URL parameters to access unauthorized files or directories. This affects MLflow deployments where the vulnerable code...

This path traversal vulnerability in MLflow allows attackers to read arbitrary files on the server by exploiting improper validation of the source parameter in model version creation. It affects MLflo...

CVE-2024-27133 is a cross-site scripting (XSS) vulnerability in MLflow that occurs when running recipes with untrusted datasets. Insufficient sanitization of dataset table fields allows attackers to i...

This vulnerability in MLflow allows attackers to write arbitrary files to arbitrary locations on the server filesystem, potentially leading to remote code execution. It affects MLflow deployments with...

CVE-2023-6940 is a command injection vulnerability in MLflow that allows attackers to execute arbitrary commands on the victim system by tricking users into downloading a malicious configuration file....

This path traversal vulnerability in MLflow allows attackers to access arbitrary files on the server by using '\..\filename' sequences in requests. It affects MLflow deployments prior to version 2.9.2...

This path traversal vulnerability in MLflow allows attackers to read arbitrary files on the server by manipulating file paths in requests. It affects all MLflow deployments running versions prior to 2...

This vulnerability in MLFlow allows remote attackers to access sensitive information through crafted REST API requests. It affects MLFlow deployments with exposed REST APIs, potentially exposing model...

CVE-2023-6015 is a path traversal vulnerability in MLflow that allows attackers to upload arbitrary files to any location on the server's filesystem. This affects MLflow deployments with the artifact ...

This CVE describes an OS command injection vulnerability in MLflow versions prior to 2.6.0. Attackers can execute arbitrary operating system commands on the server by injecting malicious input into vu...

In MLflow versions 2.18, administrators can create user accounts without setting passwords, violating secure account management practices. This vulnerability could allow unauthorized access to these a...