Insecure Temporary File in mlflow/mlflow

Valid

Reported on

Jan 8th 2022

Description

mlflow package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Impact

Availability will get affected because of this vulnerability.

Remediation

Use mkstemp() instead of tempfile.mktemp()

Occurrences

file_utils.py L290

References

https://docs.python.org/3/library/tempfile.html#deprecated-functions-and-variables

We are processing your report and will contact the mlflow team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

Corey Zumar validated this vulnerability a year ago

Srikanth Prathi has been awarded the disclosure bounty

The fix bounty is now up for grabs

Corey Zumar marked this as fixed in 1.23.1 with commit 61984e a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

file_utils.py#L290 has been validated

to join this conversation