Insecure Temporary File in mlflow/mlflow
Jan 8th 2022
mlflow package is using the deprecated function
tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to
mktemp() and the subsequent attempt to create the file by the first process.
Availability will get affected because of this vulnerability.
mkstemp() instead of
Corey Zumar validated this vulnerability a year ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Corey Zumar marked this as fixed in 1.23.1 with commit 61984e a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation