Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Command Injection in mlflow/mlflow
Vulnerability Description
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
MLflow 代码注入漏洞
Vulnerability Description
MLflow是MLflow开源的一个简化机器学习开发的平台,包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 MLflow v3.7.0之前版本存在代码注入漏洞,该漏洞源于对用户提供的容器镜像名称清理不当,可能导致通过CLI的--container参数执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A