—

PYSEC-2023-70

Details

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 0 Fixed in: 2.0.1

Fix pip install --upgrade 'mlflow>=2.0.1'

References

https://github.com/mlflow/mlflow/issues/7166 [REPORT]
https://github.com/mlflow/mlflow/issues/7166#issuecomment-1541543234 [REPORT]