8.8
CVE-2024-1961 - Path Traversal leading to Arbitrary File Write and RCE in vertaai/modeldb
vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write arbitrary files anywhere in the file system by manipulating the 'artifact_path' parameter. This flaw β¦
9.9
CVE-2024-2083 - Directory Traversal in zenml-io/zenml
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulneβ¦
9.1
CVE-2024-1739 - Case Insensitive Email Address Validation Vulnerability in lunary-ai/lunary
lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address by varying the case β¦
8.8
CVE-2024-3571 - Path Traversal in langchain-ai/langchain
langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to infβ¦
10
CVE-2024-2912 - Insecure Deserialization Leading to RCE in bentoml/bentoml
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability isβ¦
7.5
CVE-2024-3574 - Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy
In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across dβ¦
9.8
CVE-2024-3271 - Command Injection in run-llama/llama_index
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by cβ¦
4.2
CVE-2024-2260 - Session Fixation Vulnerability in zenml-io/zenml
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.
7.5
CVE-2024-1569 - Uncontrolled Resource Consumption in parisneo/lollms-webui
parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the `/open_code_in_vs_code` and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or thβ¦
9.3
CVE-2024-3573 - Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misβ¦