GHSA-vqj2-4v8m-8vrq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vqj2-4v8m-8vrq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vqj2-4v8m-8vrq/GHSA-vqj2-4v8m-8vrq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vqj2-4v8m-8vrq
- Aliases
- Published
- 2022-02-24T00:00:54Z
- Modified
- 2024-09-30T21:10:55.113067Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Insecure Temporary File in mlflow
- Details
-
mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function
tempfile.mktemp()is deprecated andmkstemp()should be used instead. - Database specific
{ "nvd_published_at": "2022-02-23T09:15:00Z", "cwe_ids": [ "CWE-377", "CWE-668" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-02-24T21:42:26Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-0736
- https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711
- https://github.com/advisories/GHSA-vqj2-4v8m-8vrq
- https://github.com/mlflow/mlflow
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2022-28.yaml
- https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75
Affected packages
PyPI / mlflow
Package
- Name
- mlflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.23.1
Affected versions
0.*
0.0.1
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
0.9.0.1
0.9.1
1.*
1.0.0
1.1.0
1.1.1.dev0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.9.0
1.9.1
1.10.0
1.11.0
1.12.0
1.12.1
1.13
1.13.1
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.20.0
1.20.1
1.20.2
1.21.0
1.22.0
1.23.0