Vulnerabilities > Lfprojects > Mlflow
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-6838 | Unspecified vulnerability in Lfprojects Mlflow 2.13.2 In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. | 5.3 |
| 2025-03-20 | CVE-2025-0453 | Unspecified vulnerability in Lfprojects Mlflow 2.17.2 In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. | 7.5 |
| 2025-03-20 | CVE-2025-1474 | Weak Password Requirements vulnerability in Lfprojects Mlflow In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. | 5.5 |
| 2024-11-25 | CVE-2024-27134 | Unspecified vulnerability in Lfprojects Mlflow Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. | 7.0 |
| 2024-06-06 | CVE-2024-0520 | Path Traversal vulnerability in Lfprojects Mlflow A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. | 8.8 |
| 2024-06-06 | CVE-2024-2928 | Path Traversal vulnerability in Lfprojects Mlflow A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. | 7.5 |
| 2024-06-06 | CVE-2024-3099 | Unspecified vulnerability in Lfprojects Mlflow A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. | 5.4 |
| 2024-06-04 | CVE-2024-37052 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37053 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37054 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | 8.8 |