Untriaged
Permalink
CVE-2024-37058
8.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Deserialization of untrusted data can occur in versions of the …
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
References
Affected products
mlflow
- =<*
- ==2.5.0
Matching in nixpkgs
pkgs.mlflow-server
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python312Packages.mlflow
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python313Packages.mlflow
Open source platform for the machine learning lifecycle
-
nixos-unstable -
- nixpkgs-unstable 3.3.1
pkgs.python312Packages.sagemaker-mlflow
MLFlow plugin for SageMaker
-
nixos-unstable -
- nixpkgs-unstable 0.1.1
pkgs.python313Packages.sagemaker-mlflow
MLFlow plugin for SageMaker
-
nixos-unstable -
- nixpkgs-unstable 0.1.1
Package maintainers
-
@tbenst Tyler Benster <nix@tylerbenster.com>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>