Version 2.18.0

mlflow

Open source platform for the machine learning lifecycle

Install Instructions

pip install mlflow
Current Version Release Date November 18, 2024
Language Python
Package URL (purl) pkg:pip/mlflow@2.18.0

Find mlflow vulnerabilities in your supply chain.

Scan for Free

mlflow Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2023-1176 Low 3.3 CWE-36 0.00044 0.14248
  • 2.0.0–2.2.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-1177 High 9.8 CWE-29, CWE-22 0.22219 0.96649
  • 2.0.0–2.2.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-2356 High 7.5 CWE-23 0.01343 0.8664
  • 2.0.0–2.3.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-2780 High 9.8 CWE-29 0.03766 0.92127
  • 2.0.0–2.2.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-30172 High 7.5 CWE-22 0.00117 0.46926
  • 2.0.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-3765 High 10 CWE-36 0.02062 0.89449
  • 2.0.0–2.4.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-4033 High 7.8 CWE-78 0.00043 0.10981
  • 2.0.0–2.5.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-43472 High 7.5 0.015 0.87382
  • 2.0.0–2.8.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6014 High 9.8 CWE-598 0.00118 0.47353
  • 2.0.0–2.7.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6015 High 7.5 CWE-22 0.00099 0.42546
  • 2.0.0–2.8.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6018 High 9.8 CWE-78 0.91159 0.99
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6568 Medium 6.1 CWE-79 0.00078 0.35043
  • 2.0.0–2.8.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6709 High 8.8 CWE-1336 0.00056 0.2489
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6753 High 8.8 CWE-22 0.00101 0.42867
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6831 High 8.1 CWE-29, CWE-22 0.00487 0.76701
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6909 High 7.5 CWE-29 0.00678 0.80522
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6940 High 8.8 CWE-77 0.00156 0.53042
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6974 High 9.8 CWE-918 0.00295 0.69992
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6975 High 9.8 CWE-29 0.00164 0.54075
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6976 High 8.8 CWE-434 0.00056 0.2489
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-0520 High 8.8 CWE-23, CWE-22 0.00089 0.39267
  • 2.0.0–2.8.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-1483 High 7.5 CWE-22 0.00044 0.11869
  • 2.0.0–2.12.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2023-6977 High 7.5 CWE-29 0.00561 0.78306
  • 2.0.0–2.9.1
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-1558 High 7.5 CWE-22 0.00044 0.11869
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-1560 High 8.1 CWE-22 0.00044 0.11869
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-1593 High 7.5 CWE-22 0.00044 0.11869
  • 2.0.0–2.12.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-1594 High 7.5 CWE-22 0.00044 0.11869
  • 2.0.0–2.12.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-27132 High 7.5 CWE-79 0.00043 0.10302
  • 2.0.0–2.9.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-27133 High 7.5 CWE-79 0.00043 0.10302
  • 2.0.0–2.9.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-2928 High 7.5 CWE-29, CWE-22 0.00087 0.38077
  • 2.0.0–2.11.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-3099 Medium 5.4 CWE-475 0.00044 0.14794
  • 2.0.0–2.11.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-3573 High 9.3 CWE-29 0.00043 0.10302
  • 2.0.0–2.9.2
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37052 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37053 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37054 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37055 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37056 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37057 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37058 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37059 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37060 High 8.8 CWE-502 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-37061 High 8.8 CWE-94 0.00043 0.10302
  • 2.0.0–2.18.0rc0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2024-4263 Medium 5.4 CWE-284 0.00043 0.10302
  • 2.0.0–2.10.0
  • 1.0.0–1.30.1
  • 0.0.1–0.9.1
CVE-2022-0736 High 7.5 CWE-668, CWE-377 0.00117 0.46914
  • 1.0.0–1.23.0
  • 0.0.1–0.9.1
CVE-2024-3848 High 7.5 CWE-29 0.00043 0.10302
  • 2.9.2–2.12.0

mlflow Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-4263 A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-3848 A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. 2.9.2, 2.12.0, 2.11.4, 2.11.3, 2.11.2, 2.11.1, 2.11.0, 2.10.2 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37061 Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37060 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37059 Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37058 Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37057 Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37056 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37055 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37054 Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37053 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-37052 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-3573 mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-3099 A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-2928 A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-27133 Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-27132 Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-1594 A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-1593 A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-1560 A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-1558 A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-1483 A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-0520 A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6977 This vulnerability enables malicious users to read sensitive files on the server. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6976 This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6975 A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6974 A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6940 with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6909 Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6831 Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6753 Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6709 Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6568 A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6018 An attacker can overwrite any file on the server hosting MLflow without any authentication. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6015 MLflow allowed arbitrary files to be PUT onto the server. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-6014 An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-43472 An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-4033 OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-3765 Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 2.4.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-30172 A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 1.23.1, 1.27.0, 1.28.0, 1.25.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-2780 Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 1.28.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-2356 Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 1.28.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-1177 Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 1.28.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-1176 Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. 1.29.0, 1.24.0, 1.1.0, 1.23.0, 2.2.0, 1.23.1, 1.27.0, 1.28.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2022-0736 Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1. 1.1.0, 1.23.0, 1.20.1, 1.19.0, 1.14.1, 1.3.0, 0.2.0, 0.3.0 (Show all) Patch → NO_SAFE_VERSION

Instantly see if these mlflow vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of mlflow affected by its vulnerabilities

Dependent Packages
mlflow-skinny==2.18.0
Flask<4
alembic!=1.10.0,<2
docker<8,>=4.0.0
graphene<4
markdown<4,>=3.3
matplotlib<4
numpy<3
pandas<3
pyarrow<19,>=4.0.0
scikit-learn<2
scipy<2
sqlalchemy<3,>=1.4.0
Jinja2<4,>=2.11; platform_system != "Windows"
gunicorn<24; platform_system != "Windows"
Jinja2<4,>=3.0; platform_system == "Windows"
waitress<4; platform_system == "Windows"
aliyunstoreplugin; extra == "aliyun-oss"
azure-storage-file-datalake>12; extra == "databricks"
google-cloud-storage>=1.30.0; extra == "databricks"
boto3>1; extra == "databricks"
botocore; extra == "databricks"
pyarrow; extra == "extras"
requests-auth-aws-sigv4; extra == "extras"
boto3; extra == "extras"
botocore; extra == "extras"
google-cloud-storage>=1.30.0; extra == "extras"
azureml-core>=1.2.0; extra == "extras"
pysftp; extra == "extras"
kubernetes; extra == "extras"
virtualenv; extra == "extras"
prometheus-flask-exporter; extra == "extras"
pydantic<3,>=1.0; extra == "gateway"
fastapi<1; extra == "gateway"
uvicorn[standard]<1; extra == "gateway"
watchfiles<1; extra == "gateway"
aiohttp<4; extra == "gateway"
boto3<2,>=1.28.56; extra == "gateway"
tiktoken<1; extra == "gateway"
slowapi<1,>=0.1.9; extra == "gateway"
pydantic<3,>=1.0; extra == "genai"
fastapi<1; extra == "genai"
uvicorn[standard]<1; extra == "genai"
watchfiles<1; extra == "genai"
aiohttp<4; extra == "genai"
boto3<2,>=1.28.56; extra == "genai"
tiktoken<1; extra == "genai"
slowapi<1,>=0.1.9; extra == "genai"
mlflow-jfrog-plugin; extra == "jfrog"
langchain<=0.3.7,>=0.1.0; extra == "langchain"
mlserver!=1.3.1,>=1.2.0; extra == "mlserver"
mlserver-mlflow!=1.3.1,>=1.2.0; extra == "mlserver"
mlflow-dbstore; extra == "sqlserver"
mlflow-xethub; extra == "xethub"