Bitnami package
mlflow
pkg:bitnami/mlflow
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-6568 | — | < 2.9.1 | 2.9.1 | Dec 7, 2023 | A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly refle | ||
| CVE-2023-43472 | — | < 2.8.2 | 2.8.2 | Dec 5, 2023 | An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. | ||
| CVE-2023-6014 | — | — | — | Nov 16, 2023 | An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. | ||
| CVE-2023-6015 | — | < 2.8.1 | 2.8.1 | Nov 16, 2023 | MLflow allowed arbitrary files to be PUT onto the server. | ||
| CVE-2023-6018 | — | — | — | Nov 16, 2023 | An attacker can overwrite any file on the server hosting MLflow without any authentication. | ||
| CVE-2023-4033 | — | < 2.6.0 | 2.6.0 | Aug 1, 2023 | OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. | ||
| CVE-2023-3765 | — | < 2.5.0 | 2.5.0 | Jul 19, 2023 | Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. | ||
| CVE-2023-2780 | — | < 2.3.1 | 2.3.1 | May 17, 2023 | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. | ||
| CVE-2023-30172 | — | < 2.0.1 | 2.0.1 | May 11, 2023 | A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. | ||
| CVE-2023-2356 | — | < 2.3.1 | 2.3.1 | Apr 28, 2023 | Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. | ||
| CVE-2023-1177 | — | < 2.2.1 | 2.2.1 | Mar 24, 2023 | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. | ||
| CVE-2023-1176 | — | < 2.2.2 | 2.2.2 | Mar 24, 2023 | Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. | ||
| CVE-2022-0736 | — | < 1.23.1 | 1.23.1 | Feb 23, 2022 | Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1. |
- CVE-2023-6568Dec 7, 2023affected < 2.9.1fixed 2.9.1
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly refle
- CVE-2023-43472Dec 5, 2023affected < 2.8.2fixed 2.8.2
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
- CVE-2023-6014Nov 16, 2023
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
- CVE-2023-6015Nov 16, 2023affected < 2.8.1fixed 2.8.1
MLflow allowed arbitrary files to be PUT onto the server.
- CVE-2023-6018Nov 16, 2023
An attacker can overwrite any file on the server hosting MLflow without any authentication.
- CVE-2023-4033Aug 1, 2023affected < 2.6.0fixed 2.6.0
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
- CVE-2023-3765Jul 19, 2023affected < 2.5.0fixed 2.5.0
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
- CVE-2023-2780May 17, 2023affected < 2.3.1fixed 2.3.1
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.
- CVE-2023-30172May 11, 2023affected < 2.0.1fixed 2.0.1
A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.
- CVE-2023-2356Apr 28, 2023affected < 2.3.1fixed 2.3.1
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.
- CVE-2023-1177Mar 24, 2023affected < 2.2.1fixed 2.2.1
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
- CVE-2023-1176Mar 24, 2023affected < 2.2.2fixed 2.2.2
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
- CVE-2022-0736Feb 23, 2022affected < 1.23.1fixed 1.23.1
Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.
Page 4 of 4