Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Denial of Service and Data Model Poisoning via URL Encoding in mlflow/mlflow
Vulnerability Description
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.
CVSS Information
N/A
Vulnerability Type
从输入到API的未定义行为
Vulnerability Title
Mlflow 安全漏洞
Vulnerability Description
Mlflow是一个机器学习生命周期的开源平台。 Mlflow 存在安全漏洞,该漏洞源于可以利用 URL 编码创建多个同名模型,可能导致拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A