PYSEC-2024-240
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/mlflow/PYSEC-2024-240.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2024-240
- Aliases
- Published
- 2024-02-23T22:15:55Z
- Modified
- 2025-04-08T11:13:12.775658Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
- References
Affected packages
PyPI / mlflow
Package
- Name
- mlflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.10.0
Affected versions
0.*
0.0.1
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
0.9.0.1
0.9.1
1.*
1.0.0
1.1.0
1.1.1.dev0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.9.0
1.9.1
1.10.0
1.11.0
1.12.0
1.12.1
1.13
1.13.1
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.20.0
1.20.1
1.20.2
1.21.0
1.22.0
1.23.0
1.23.1
1.24.0
1.25.0
1.25.1
1.26.0
1.26.1
1.27.0
1.28.0
1.29.0
1.30.0
1.30.1
2.*
2.0.0rc0
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2