Описание
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
Ссылки
- Issue TrackingPatch
- ExploitThird Party Advisory
- Issue TrackingPatch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.9.2 (включая)
cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
EPSS
Процентиль: 42%
0.00197
Низкий
7.5 High
CVSS3
9.6 Critical
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 9.6
github
почти 2 года назад
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
EPSS
Процентиль: 42%
0.00197
Низкий
7.5 High
CVSS3
9.6 Critical
CVSS3
Дефекты
CWE-79