MLflow and ClearML Platform Security Update Advisories (CVE-2023-6831, CVE-2023-6977, CVE-2023-6709, CVE-2023-6778)

Jan 23 2024

Overview

The latest security updates have been released for MLflow and ClearML Server open source platforms for machine learning and artificial intelligence development. Users of affected versions are advised to update to the latest version.

Affected Products

Prior to MLflow 2.9.2 and ClearML Server 1.13.0

Resolved Vulnerabilities

Path Traversal vulnerability in MLflowwhen deleting artifacts(CVE-2023-6831)
Local File Disclosure bypass vulnerability in MLflow(CVE-2023-6977)
Remote code execution vulnerability due to jinja2 SSTI in MLflow(CVE-2023-6709)
Stored XSS vulnerability in ClearML Server(CVE-2023-6778)

Vulnerability Patches

Vulnerability patches were made available in the December 15, 2023 update. Users of affected versions are advised to update to the latest version.

Referenced Sites

[1] https://github.com/mlflow/mlflow/releases/tag/v2.9.2

[2] https://github.com/allegroai/clearml-server/releases/tag/v1.13.0

[3] https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314/

[4] https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf/

[5] https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d

[6] https://huntr.com/bounties/5f3fffac-0358-48e6-a500-81bac13e0e2b/

MLflow and ClearML Platform Security Update Advisories (CVE-2023-6831, CVE-2023-6977, CVE-2023-6709, CVE-2023-6778)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Apache Tomcat Product Security Update Advisory (CVE-2024-21733)

GitHub Enterprise Server Security Update Advisory (CVE-2024-0200)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

Apache Tomcat Product Security Update Advisory (CVE-2024-21733)

GitHub Enterprise Server Security Update Advisory (CVE-2024-0200)