CVE-2023-1176
published 2023-03-24CVE-2023-1176: Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
PriorityP411low3.3CVSS 3.1
AVLACLPRLUINSUCLINAN
EPSS
0.58%
43.3th percentile
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 2.2.2 | 2.2.2 |
| lfprojects | mlflow | >= 0 < 63ef72aa4334a6473ce7f889573c92fcae0b3c0d | 63ef72aa4334a6473ce7f889573c92fcae0b3c0d |
| lfprojects | mlflow | >= 0 < 2.2.2 | 2.2.2 |
| lfprojects | mlflow | >= 0 < 2.2.1 | 2.2.1 |
| mlflow | mlflow_mlflow | >= unspecified < 2.2.2 | 2.2.2 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa3.3LOW
osv3.3LOW
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-1176: Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2
osv·2023-03-24
CVE-2023-1176 CVE-2023-1176: Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
GHSA
Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
ghsa·2023-03-24·CVSS 3.3
CVE-2023-1176 [LOW] CWE-36 Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file existence check exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of
OSV
Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
osv·2023-03-24·CVSS 3.3
CVE-2023-1176 [LOW] Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file existence check exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of
Red Hat
kernel: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
vendor_redhat·2024-03-06·CVSS 5.5
CVE-2023-52585 [MEDIUM] CWE-476 kernel: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
kernel: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
Return invalid error code -EINVAL for invalid block id.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)
A vulnerability was found in the amdgpu_ras_query_error_status_helper() function in the Linunx kernel which could lead to a possible NULL pointer dereference, causing data corruption or crashes.
Statement: Red Hat Enterprise Linux 8 is not impacted by this vulnerability, as it does not contain the vulnerable amdgpu_ras_query_err
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-24
Published