CVSS: 2.8EPSS: 0%CPEs: 11EXPL: 1CVE-2024-22194 – cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code
https://notcve.org/view.php?id=CVE-2024-22194
cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in `cdo-local-uuid` at version `0.4.0`, and in `case-utils` in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`. The vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`. El proyecto cdo-local-uuid proporciona una función especializada de generación de UUID que puede, a petición del usuario, hacer que un programa genere UUID deterministas. Una vulnerabilidad de fuga de información está presente en `cdo-local-uuid` en la versión `0.4.0`, y en `case-utils` en versiones sin parches (que coinciden con el patrón `0.x.0`) en y desde `0.5. 0`, antes de `0.15.0`. • https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235 https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3 https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4 https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882 https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9 https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490ef • CWE-215: Insertion of Sensitive Information Into Debugging Code CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6977 – Path Traversal: '\..\filename'
https://notcve.org/view.php?id=CVE-2023-6977
This vulnerability enables malicious users to read sensitive files on the server. Esta vulnerabilidad permite a usuarios malintencionados leer archivos confidenciales en el servidor. • https://github.com/mlflow/mlflow/commit/4bd7f27c810ba7487d53ed5ef1038fca0f8dc28c https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf • CWE-29: Path Traversal: '\..\filename' •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6976 – Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2023-6976
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. Esta vulnerabilidad es capaz de escribir archivos arbitrarios en ubicaciones arbitrarias en el sistema de archivos remoto en el contexto del proceso del servidor. • https://github.com/mlflow/mlflow/commit/5044878da0c1851ccfdd5c0a867157ed9a502fbc https://huntr.com/bounties/2408a52b-f05b-4cac-9765-4f74bac3f20f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6975 – Path Traversal: '\..\filename'
https://notcve.org/view.php?id=CVE-2023-6975
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. Un usuario malintencionado podría utilizar este problema para ejecutar comandos en la máquina vulnerable y obtener acceso a información de datos y modelos. • https://github.com/mlflow/mlflow/commit/b9ab9ed77e1deda9697fe472fb1079fd428149ee https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6974 – Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6974
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. Un usuario malintencionado podría utilizar este problema para acceder a servidores HTTP internos y, en el peor de los casos (es decir, instancia de AWS), podría ser un abuso obtener una ejecución remota de código en la máquina víctima. • https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555 https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393 • CWE-918: Server-Side Request Forgery (SSRF) •