Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow
Vulnerability Description
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
MLflow 信息泄露漏洞
Vulnerability Description
MLflow是MLflow开源的一个简化机器学习开发的平台,包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 mlflow存在信息泄露漏洞,该漏洞源于权限验证器未保护跟踪和评估端点,可能导致任何经过身份验证的用户读取跟踪信息和创建未经授权的评估。
CVSS Information
N/A
Vulnerability Type
N/A