Nixpkgs Security Tracker

Untriaged

Permalink CVE-2024-27132

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.

References

Affected products

mlflow

=<2.9.2

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable -
- nixpkgs-unstable 3.3.1

pkgs.python312Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable -
- nixpkgs-unstable 3.3.1

pkgs.python313Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable -
- nixpkgs-unstable 3.3.1

pkgs.python312Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable -
- nixpkgs-unstable 0.1.1

pkgs.python313Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable -
- nixpkgs-unstable 0.1.1

Package maintainers

@tbenst Tyler Benster <nix@tylerbenster.com>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mlflow-server

pkgs.python312Packages.mlflow

pkgs.python313Packages.mlflow

pkgs.python312Packages.sagemaker-mlflow

pkgs.python313Packages.sagemaker-mlflow

Package maintainers