Primary

Context

mlflow Password Requirement Vulnerability in User Account Creation

Vulnerability

Patched

A vulnerability exists in mlflow version 2.18, allowing administrators to create user accounts without setting a password. This oversight could lead to unauthorized access, as passwordless accounts may be easily exploited. Furthermore, the issue contravenes established best practices for secure user account management. The vulnerability has been addressed in version 2.19.0.

Impact

The absence of password requirements can result in unauthorized access to user accounts, creating potential security risks. Additionally, this vulnerability raises compliance issues by violating standard practices for secure account management.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the signup page. Fill in the required fields, such as username, but leave the password field blank. Submit the form to create the user account without a password.

Remediation

Users can update to mlflow version 2.19.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

mlflow Password Requirement Vulnerability in User Account Creation

Vulnerability

Impact

Reproduction

Remediation

Affected Products

mlflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating