HIGH 8.8

GHSA-pqcv-qw2r-r859

MLFlow improper input validation

Details

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run due to unfiltered input.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 1.11.0

No fixed version published yet for mlflow (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-37061 [ADVISORY]
https://github.com/mlflow/mlflow [PACKAGE]
https://hiddenlayer.com/sai-security-advisory/mlflow-june2024 [WEB]