MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

N/A

对路径名的限制不恰当(路径遍历)

MLflow 路径遍历漏洞

MLflow是MLflow开源的一个简化机器学习开发的平台，包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 MLflow存在路径遍历漏洞，该漏洞源于对模型文件路径处理不当，可能导致远程代码执行。

N/A

N/A