Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1oaDhwLXA4bXAtZ3Fobc4AA37i

Critical EPSS: 0.01542% (0.8051 Percentile) EPSS:
Permalink JSON

MLFlow Path Traversal Vulnerability

Affected Packages Affected Versions Fixed Versions
pypi:mlflow < 2.9.2 2.9.2
360 Dependent packages
5,089 Dependent repositories
20,670,175 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.13.1, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1

All unaffected versions

2.9.2, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.18.0, 2.19.0, 2.20.0, 2.20.1, 2.20.2, 2.20.3, 2.20.4, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.22.0, 2.22.1, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

References:

Identifiers

GHSA-hh8p-p8mp-gqhm

CVE-2023-6975

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.01542

EPSS Percentile: 0.8051

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mlflow/mlflow

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON