Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-3v79-q7ph-j75h

Опубликовано: 24 фев. 2024
Источник: github
Github: Прошло ревью
CVSS3: 9.6

Описание

MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

Ссылки

Пакеты

Наименование

mlflow

pip
Затронутые версииВерсия исправления

< 2.10.0

2.10.0

EPSS

Процентиль: 42%
0.00197
Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2024-27133

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2024-27133

CVSS3: 7.5
nvd
почти 2 года назад

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

EPSS

Процентиль: 42%
0.00197
Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2024-27133

Дефекты

CWE-79