Описание
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.
EPSS
Процентиль: 2%
0.00014
Низкий
7 High
CVSS3
Дефекты
CWE-379
Связанные уязвимости
CVSS3: 7
github
5 дней назад
mlflow Creates of Temporary File in Directory with Insecure Permissions
EPSS
Процентиль: 2%
0.00014
Низкий
7 High
CVSS3
Дефекты
CWE-379