CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37052
https://notcve.org/view.php?id=CVE-2024-37052
04 Jun 2024 — Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. La deserialización de datos que no son de confianza puede ocurrir en versiones de la plataforma MLflow que ejecutan la versión 1.1.0 o posterior, lo que permite que un modelo scikit-learn cargado maliciosamente ejecute código arbitrario en el sistema de un usuario final cuando inte... • https://hiddenlayer.com/sai-security-advisory/mlflow-june2024 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 85%CPEs: 1EXPL: 1CVE-2023-6977 – Path Traversal: '\..\filename'
https://notcve.org/view.php?id=CVE-2023-6977
20 Dec 2023 — This vulnerability enables malicious users to read sensitive files on the server. Esta vulnerabilidad permite a usuarios malintencionados leer archivos confidenciales en el servidor. • https://github.com/mlflow/mlflow/commit/4bd7f27c810ba7487d53ed5ef1038fca0f8dc28c • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6976 – Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2023-6976
20 Dec 2023 — This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. Esta vulnerabilidad es capaz de escribir archivos arbitrarios en ubicaciones arbitrarias en el sistema de archivos remoto en el contexto del proceso del servidor. • https://github.com/mlflow/mlflow/commit/5044878da0c1851ccfdd5c0a867157ed9a502fbc • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-6975 – Path Traversal: '\..\filename'
https://notcve.org/view.php?id=CVE-2023-6975
20 Dec 2023 — A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. Un usuario malintencionado podría utilizar este problema para ejecutar comandos en la máquina vulnerable y obtener acceso a información de datos y modelos. • https://github.com/mlflow/mlflow/commit/b9ab9ed77e1deda9697fe472fb1079fd428149ee • CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-6974 – Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6974
20 Dec 2023 — A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. Un usuario malintencionado podría utilizar este problema para acceder a servidores HTTP internos y, en el peor de los casos (es decir, instancia de AWS), podría ser un abuso obtener una ejecución remota de código en la máquina víctima. • https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6940 – Command Injection
https://notcve.org/view.php?id=CVE-2023-6940
19 Dec 2023 — with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system. Con solo una interacción del usuario (descargar una configuración maliciosa), los atacantes pueden obtener la ejecución completa del comando en el sistema víctima. • https://github.com/mlflow/mlflow/commit/5139b1087d686fa52e2b087e09da66aff86297b1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 87%CPEs: 1EXPL: 1CVE-2023-6909 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6909
18 Dec 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 8.5EPSS: 80%CPEs: 1EXPL: 1CVE-2023-6831 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6831
15 Dec 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path Traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2023-6753 – Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6753
13 Dec 2023 — Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. Path traversal en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6709 – Improper Neutralization of Special Elements Used in a Template Engine in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6709
12 Dec 2023 — Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2. Neutralización inadecuada de elementos especiales utilizados en un motor de plantillas en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •