Vulnerabilities > Lfprojects
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-04 | CVE-2024-37059 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | 8.8 |
| 2024-06-04 | CVE-2024-37060 | Deserialization of Untrusted Data vulnerability in Lfprojects Mlflow Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | 8.8 |
| 2024-06-04 | CVE-2024-37061 | Code Injection vulnerability in Lfprojects Mlflow Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. | 8.8 |
| 2024-05-16 | CVE-2024-3848 | Path Traversal vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. | 7.5 |
| 2024-05-16 | CVE-2024-4263 | Unspecified vulnerability in Lfprojects Mlflow A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. | 5.4 |
| 2024-04-16 | CVE-2024-1483 | Unspecified vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. | 7.5 |
| 2024-04-16 | CVE-2024-1558 | Unspecified vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. | 7.5 |
| 2024-04-16 | CVE-2024-1560 | Unspecified vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. | 8.1 |
| 2024-04-16 | CVE-2024-1593 | Unspecified vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. | 7.5 |
| 2024-04-16 | CVE-2024-1594 | Unspecified vulnerability in Lfprojects Mlflow A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. | 7.5 |