First published: Thu Nov 16 2023(Updated: )
MLflow allowed arbitrary files to be PUT onto the server.
Affected Software | Affected Version | How to fix |
---|---|---|
pip/mlflow | <2.8.1 | 2.8.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of GHSA-f798-qm4r-23r5 is critical.
GHSA-f798-qm4r-23r5 allows arbitrary files to be PUT onto the MLflow server.
MLflow version up to exclusive 2.8.1 is affected by GHSA-f798-qm4r-23r5.
Yes, updating to MLflow version 2.8.1 or above fixes GHSA-f798-qm4r-23r5.
GHSA-f798-qm4r-23r5 is associated with CWE-22.