github - ghsa-vqj2-4v8m-8vrq

ghsa-vqj2-4v8m-8vrq

Vulnerability from github

Published

2022-02-24 00:00

Modified

2022-02-24 21:42

Severity

8.2 (High) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

Insecure Temporary File in mlflow

Details

mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function tempfile.mktemp() is deprecated and mkstemp() should be used instead.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {
        "affected_functions": [
          "mlflow.utils.file_utils.make_tarfile",
          "mlflow.projects.docker._create_docker_build_ctx"
        ]
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-24T21:42:26Z",
    "nvd_published_at": "2022-02-23T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function `tempfile.mktemp()` is deprecated and `mkstemp()` should be used instead.",
  "id": "GHSA-vqj2-4v8m-8vrq",
  "modified": "2022-02-24T21:42:26Z",
  "published": "2022-02-24T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure Temporary File in mlflow"
}

cve-2022-0736

Vulnerability from cvelistv5

Published

2022-02-23 08:45

Modified

2024-08-02 23:40

Severity

8.2 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

Insecure Temporary File in mlflow/mlflow

References

URL	Tags
https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75	x_refsource_CONFIRM
https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711	x_refsource_MISC

Impacted products

Vendor	Product
mlflow	mlflow/mlflow

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:03.521Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mlflow/mlflow",
          "vendor": "mlflow",
          "versions": [
            {
              "lessThan": "1.23.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-377",
              "description": "CWE-377 Insecure Temporary File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-23T08:45:13",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
        }
      ],
      "source": {
        "advisory": "e5384764-c583-4dec-a1d8-4697f4e12f75",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Temporary File in mlflow/mlflow",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0736",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Temporary File in mlflow/mlflow"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mlflow/mlflow",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.23.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "mlflow"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-377 Insecure Temporary File"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
            },
            {
              "name": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711",
              "refsource": "MISC",
              "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
            }
          ]
        },
        "source": {
          "advisory": "e5384764-c583-4dec-a1d8-4697f4e12f75",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0736",
    "datePublished": "2022-02-23T08:45:13",
    "dateReserved": "2022-02-23T00:00:00",
    "dateUpdated": "2024-08-02T23:40:03.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

pysec-2022-28

Vulnerability from pysec

Published

2022-02-23 09:15

Modified

2022-03-02 06:39

Details

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow",
        "purl": "pkg:pypi/mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "61984e6843d2e59235d82a580c529920cd8f3711"
            }
          ],
          "repo": "https://github.com/mlflow/mlflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.1.0",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.6.0",
        "0.7.0",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.9.0",
        "0.9.0.1",
        "0.9.1",
        "1.0.0",
        "1.1.0",
        "1.1.1.dev0",
        "1.10.0",
        "1.11.0",
        "1.12.0",
        "1.12.1",
        "1.13",
        "1.13.1",
        "1.14.0",
        "1.14.1",
        "1.15.0",
        "1.16.0",
        "1.17.0",
        "1.18.0",
        "1.19.0",
        "1.2.0",
        "1.20.0",
        "1.20.1",
        "1.20.2",
        "1.21.0",
        "1.22.0",
        "1.23.0",
        "1.3.0",
        "1.4.0",
        "1.5.0",
        "1.6.0",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.8.0",
        "1.9.0",
        "1.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0736",
    "GHSA-vqj2-4v8m-8vrq"
  ],
  "details": "Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.",
  "id": "PYSEC-2022-28",
  "modified": "2022-03-02T06:39:30.836439Z",
  "published": "2022-02-23T09:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
    },
    {
      "type": "FIX",
      "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vqj2-4v8m-8vrq"
    }
  ]
}

Action not permitted

ghsa-vqj2-4v8m-8vrq

Vulnerability from github

cve-2022-0736

Vulnerability from cvelistv5

pysec-2022-28

Vulnerability from pysec

Tags