Описание
MLFlow unsafe deserialization
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
Пакеты
Наименование
mlflow
pip
Затронутые версииВерсия исправления
>= 0.9.0, <= 2.14.1
Отсутствует
Связанные уязвимости
CVSS3: 8.8
nvd
больше 1 года назад
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.