ghsa-vqj2-4v8m-8vrq
Vulnerability from github
Published
2022-02-24 00:00
Modified
2022-02-24 21:42
Severity
Summary
Insecure Temporary File in mlflow
Details
mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function tempfile.mktemp()
is deprecated and mkstemp()
should be used instead.
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "mlflow.utils.file_utils.make_tarfile", "mlflow.projects.docker._create_docker_build_ctx" ] }, "package": { "ecosystem": "PyPI", "name": "mlflow" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.23.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-0736" ], "database_specific": { "cwe_ids": [ "CWE-377", "CWE-668" ], "github_reviewed": true, "github_reviewed_at": "2022-02-24T21:42:26Z", "nvd_published_at": "2022-02-23T09:15:00Z", "severity": "HIGH" }, "details": "mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function `tempfile.mktemp()` is deprecated and `mkstemp()` should be used instead.", "id": "GHSA-vqj2-4v8m-8vrq", "modified": "2022-02-24T21:42:26Z", "published": "2022-02-24T00:00:54Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0736" }, { "type": "WEB", "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711" }, { "type": "PACKAGE", "url": "https://github.com/mlflow/mlflow" }, { "type": "WEB", "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "type": "CVSS_V3" } ], "summary": "Insecure Temporary File in mlflow" }
Loading...