Insecure Temporary File in mlflow/mlflow
Valid
Reported on
Jan 8th 2022
Description
mlflow
package is using the deprecated function tempfile.mktemp()
which is not secure. Because a different process may create a file with this name in the time between the call to mktemp()
and the subsequent attempt to create the file by the first process.
Impact
Availability will get affected because of this vulnerability.
Remediation
Use mkstemp()
instead of tempfile.mktemp()
Occurrences
We are processing your report and will contact the
mlflow
team within 24 hours.
a year ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
file_utils.py#L290
has been validated
to join this conversation