Описание
MLFlow unsafe deserialization
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
Пакеты
Наименование
mlflow
pip
Затронутые версииВерсия исправления
>= 1.1.0, <= 2.14.1
Отсутствует
Связанные уязвимости
CVSS3: 8.8
nvd
больше 1 года назад
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.