Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update requirements.txt #244

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

suryadev99
Copy link

To fix vulnerabilities in the mlflow package

Relative Path Traversal
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Relative Path Traversal due to allowing the ability to provide relative paths in registered model sources.

image

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass. Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the mlflow server or mlflow ui commands may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).

This issue only affects users and integrations that run the mlflow server and mlflow ui commands. Integrations that do not make use of mlflow server or mlflow ui are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these commands and are not impacted by these vulnerabilities in any way. The vulnerability is very similar to CVE-2023-1177

To fix vulnerabilities in the mlflow package 

Relative Path Traversal
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Relative Path Traversal due to allowing the ability to provide relative paths in registered model sources.
@suryadev99
Copy link
Author

This is a critical security issue , Hope you fix it quickly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant