- Description
- In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.
- Source
- security@huntr.dev
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 5.5
- Impact score
- 4.2
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
- Severity
- MEDIUM
CVSS 3.0
- Type
- Secondary
- Base score
- 3.8
- Impact score
- 2.5
- Exploitability score
- 1.2
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
- Severity
- LOW
- security@huntr.dev
- CWE-521
- Hype score
- Not currently trending
CVE-2025-1474 In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts wi… https://t.co/ht3y1oqXlE
@CVEnew
20 Mar 2025
252 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Just scored two CVEs for MLflow!(CVE-2025-1473,CVE-2025-1474) MLflow is an open-source platform for managing machine learning workflows. I found a CSRF vulnerability that could’ve been nasty if exploited, and noticed the password policy was pretty weak too – had to call that out.
@krishnast54
20 Feb 2025
52 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
We are glad to share our security researcher Krishna Tiwari's achievement in getting two CVEs for AI/ML application - @MLflow . CVE-2025-1473 https://t.co/SE0fFb935M CVE-2025-1474 @ProtectAICorp #cybersecurity #infosec #AI #ml #CVE #research https://t.co/rrlVfjGO9Z
@defhawk_specter
20 Feb 2025
41 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "424AC5C6-1433-408C-B56C-5F9DA30FB856",
"versionEndExcluding": "2.19.0"
}
],
"operator": "OR"
}
]
}
]