apk package
wolfi/mlflow-iamguarded-compat
pkg:apk/wolfi/mlflow-iamguarded-compat
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-37057 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37056 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37055 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37054 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37053 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37052 | — | < 3.5.1-r1 | 3.5.1-r1 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-35195 | Med | 5.6 | < 2.13.1-r0 | 2.13.1-r0 | May 20, 2024 | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes |
- CVE-2024-37057Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37056Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37055Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37054Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37053Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37052Jun 4, 2024affected < 3.5.1-r1fixed 3.5.1-r1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- affected < 2.13.1-r0fixed 2.13.1-r0
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
Page 3 of 3