Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
{ "severity": "High", "cpes": [ "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:python:*:*" ] }