LF Projects MLflow 2.14.3

CPE Details

LF Projects MLflow 2.14.3
lfprojects
mlflow
2.14.3
2025-01-22
13h57 +00:00
2025-01-22
13h57 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:lfprojects:mlflow:2.14.3:*:*:*:*:*:*:*

Informations

Vendor

lfprojects

Product

mlflow

Version

2.14.3

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2024-27134 2024-11-25 13h48 +00:00 Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
7
Haute
CVE-2024-37061 2024-06-04 12h02 +00:00 Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
8.8
Haute
CVE-2024-37060 2024-06-04 12h02 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
8.8
Haute
CVE-2024-37059 2024-06-04 12h01 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37058 2024-06-04 12h01 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37057 2024-06-04 12h01 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37056 2024-06-04 12h01 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37055 2024-06-04 12h00 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37054 2024-06-04 12h00 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37053 2024-06-04 12h00 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2024-37052 2024-06-04 11h59 +00:00 Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
8.8
Haute
CVE-2023-6014 2023-11-16 21h07 +00:00 An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
9.8
Critique