Vulnerabilities > Lfprojects > Mlflow > 2.20.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-04 | CVE-2024-37052 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37053 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37054 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37055 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37056 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37057 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37058 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37059 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37060 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | 8.8 |
| 2024-06-04 | CVE-2024-37061 | Code Injection vulnerability in Lfprojects Mlflow Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. | 8.8 |