GHSA-7p8j-qv6x-f4g4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7p8j-qv6x-f4g4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7p8j-qv6x-f4g4/GHSA-7p8j-qv6x-f4g4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7p8j-qv6x-f4g4
- Aliases
-
- BIT-mlflow-2024-37056
- CGA-5rg5-hmwm-f62r
- CVE-2024-37056
- Published
- 2024-06-04T12:31:04Z
- Modified
- 2024-10-22T05:29:00.053225Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- MLFlow unsafe deserialization
- Details
-
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- Database specific
{ "nvd_published_at": "2024-06-04T12:15:11Z", "severity": "HIGH", "github_reviewed_at": "2024-06-05T13:18:19Z", "github_reviewed": true, "cwe_ids": [ "CWE-502" ] }- References
Affected packages
PyPI / mlflow
Package
- Name
- mlflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlflow
Affected versions
1.*
1.23.0
1.23.1
1.24.0
1.25.0
1.25.1
1.26.0
1.26.1
1.27.0
1.28.0
1.29.0
1.30.0
1.30.1
2.*
2.0.0rc0
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0rc0
2.14.0
2.14.1