GSA_kwCzR0hTQS03cDhqLXF2NngtZjRnNM4AA8rh

High EPSS: 0.00384% (0.58913 Percentile) EPSS:

Permalink JSON

MLFlow unsafe deserialization

Affected Packages	Affected Versions	Fixed Versions
pypi:mlflow	>= 1.23.0, <= 2.14.1	No known fixed version
360 Dependent packages 5,089 Dependent repositories 20,670,175 Downloads last month Affected Version Ranges All affected versions 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.14.1

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-37056
https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
https://github.com/advisories/GHSA-7p8j-qv6x-f4g4

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS03cDhqLXF2NngtZjRnNM4AA8rh

MLFlow unsafe deserialization

Affected Version Ranges

All affected versions

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API