漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow
Vulnerability Description
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
MLflow 信息泄露漏洞
Vulnerability Description
MLflow是MLflow开源的一个简化机器学习开发的平台,包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 mlflow存在信息泄露漏洞,该漏洞源于权限验证器未保护跟踪和评估端点,可能导致任何经过身份验证的用户读取跟踪信息和创建未经授权的评估。
CVSS Information
N/A
Vulnerability Type
N/A