{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e6c35dca-3f02-523f-a3c6-07ac76118992", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare", "type": "library", "name": "mlflow", "version": "2.9.1.post3+tuxcare", "purl": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e8c4f403-a376-5bd8-afa6-ababe6a53566", "id": "CVE-2023-6709", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-6709 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:6a81ee43-c288-5929-8df3-c34f5f70c0f8", "id": "CVE-2023-6753", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-6753 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:64bb700c-141f-51c5-8637-61b212f272d8", "id": "CVE-2023-6831", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6831 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:c446384e-8b41-5b4d-a6f5-3397b5cc3f2e", "id": "CVE-2023-6909", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-6909 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:69443f61-00f8-5bf0-89a7-fd386c9a5386", "id": "CVE-2023-6940", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6940 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:72610d42-18b0-517a-8c3b-6ca83661dc7c", "id": "CVE-2023-6974", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-6974 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:4fc446c9-574c-5b0c-b21f-9f20e7b82300", "id": "CVE-2023-6975", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-6975 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:eb50c4e5-aedd-5817-af55-ad9af5ef9868", "id": "CVE-2023-6976", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6976 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:df139ac1-f523-516a-a410-b38344f74384", "id": "CVE-2023-6977", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6977 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:d0ee584f-b47e-5c18-8d7e-e8aad8dbbf5b", "id": "CVE-2024-1483", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1483 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:8f8c1430-a2ef-55aa-88fc-217bd217108e", "id": "CVE-2024-1558", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1558 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:a1fc819d-09db-5211-afd2-a5ae8dde5f9d", "id": "CVE-2024-1560", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1560 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:3ac2ec4a-eb1f-5248-bc87-148695746884", "id": "CVE-2024-1593", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-1593 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:b609dbd2-21c0-51a8-afc8-18873683500e", "id": "CVE-2024-1594", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1594 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:f2be65de-d35b-5dd3-8709-5d5b28e1ab0e", "id": "CVE-2024-27132", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-27132 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:f6e70a2b-b90a-5f71-9c8b-c621af136ddb", "id": "CVE-2024-27133", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-27133 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:fd20c792-83fa-5ad1-9936-57acd7513cf5", "id": "CVE-2024-27134", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-27134 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:e719b452-d3c5-5aa5-97e4-fbffd5861edf", "id": "CVE-2024-2928", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-2928 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:9a10a393-ec20-5669-b2db-9490c8295e06", "id": "CVE-2024-3099", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-3099 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:47cdfef3-610f-544c-99bd-c46b79169e99", "id": "CVE-2024-3573", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-3573 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:a0bebbfd-2e0e-5f13-ae51-a00f078a26f2", "id": "CVE-2024-37052", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-37052 does not affect version 2.9.1.post3+tuxcare of mlflow. already_fixed \u2014 The target MLflow 2.9.1 codebase contains the fix for CVE-2024-37052 (unsafe pickle deserialization in scikit-learn model loading). The MLFLOW_ALLOW_PICKLE_DESERIALIZATION environment variable check was added in prior TuxCare backports (commits d58ee98ca for initial guard, 98a32847a for CVE-2024-37056, cf8bc9c26 for CVE-2024-37053). However, the defense defaults to True (allowing deserializatio..." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:e7d9c787-1d5a-546d-9e00-1b080d744e6e", "id": "CVE-2024-37053", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37053 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:aad51d0d-32b9-53d0-a979-f497b38f2166", "id": "CVE-2024-37054", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37054 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:8a56889e-f1f1-5476-9860-9eeff1a24ba8", "id": "CVE-2024-37055", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37055 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:0bda42dd-bbfa-5580-9703-93a71928e922", "id": "CVE-2024-37056", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-37056 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:e6820b8e-f781-506a-9790-bbd7c87eff10", "id": "CVE-2024-37057", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37057 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:df21d196-71fd-5b59-8976-16e68b6365ca", "id": "CVE-2024-37058", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37058 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:17919029-cb80-51ce-bc2a-1e70bc4ceb08", "id": "CVE-2024-37059", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37059 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:fbaed002-a4fd-5a2f-ae70-6658fa64c30a", "id": "CVE-2024-37060", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37060 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:42125db8-45ea-542e-8598-16fbd17eec3f", "id": "CVE-2024-37061", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37061 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:3a658ac3-219e-52be-85c7-d841d4c370d2", "id": "CVE-2024-4263", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-4263 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:ba383c57-59b0-5cfd-801b-7d68bb7864a0", "id": "CVE-2024-6838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-6838 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:b415730f-a09f-510d-8f89-52c50631600d", "id": "CVE-2024-8859", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-8859 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:ee6aa589-ff13-52e1-919e-3ad301f8e640", "id": "CVE-2025-0453", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-0453 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:4557a948-0e51-53ca-91d8-68995832b23c", "id": "CVE-2025-10279", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-10279 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:919d78b1-7ce1-566f-bebb-d52c32e1d518", "id": "CVE-2025-11200", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-11200 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:5a50936e-d8e6-5125-94ac-08356a85dfae", "id": "CVE-2025-11201", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-11201 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:460ab0e6-4d00-583f-8927-eb4727b8b58d", "id": "CVE-2025-14279", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-14279 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:460d8dcf-8e9d-5da3-845c-a68250dfa9d6", "id": "CVE-2025-14287", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-14287 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:5ce03432-3f1c-5e1b-9ca7-7c458556a897", "id": "CVE-2025-1474", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-1474 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:336015c7-eef9-5c54-85a2-6599fb1affbc", "id": "CVE-2025-15031", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15031 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:e0f65000-e039-53a1-84ab-9409cb94e057", "id": "CVE-2025-15036", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15036 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:e61dd86d-00ff-56d5-9ad9-219c310b2e2d", "id": "CVE-2025-15379", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15379 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:71958809-44af-5b9a-96aa-1912f75f6f1c", "id": "CVE-2025-15381", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2025-15381 does not affect version 2.9.1.post3+tuxcare of mlflow. not_affected \u2014 MLflow version 2.9.1 does not contain tracing and assessment features. These features appear to have been introduced in a later version of mlflow. The vulnerability pattern described in CVE-2025-15381 (missing permission validators on tracing and assessment endpoints when basic-auth is enabled) cannot exist in a version that does not have these endpoints." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:a7af303e-b6be-58bf-b626-e1911e589fbf", "id": "CVE-2025-52967", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-52967 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:95e271c6-856f-5bb9-9f67-e6c0dd9fad88", "id": "CVE-2026-0545", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0545 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:45822c2e-7be4-5531-b9d3-1bb2e2639447", "id": "CVE-2026-0596", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0596 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:b98d8b85-c710-5879-b7e3-b333ca09ff96", "id": "CVE-2026-2033", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-2033 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:6f36e250-46f5-51f0-b3f5-33827fbee4dd", "id": "CVE-2026-2393", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2393 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:d849225a-9854-5764-a142-475269455b55", "id": "CVE-2026-2614", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-2614 does not affect version 2.9.1.post3+tuxcare of mlflow. Version 2.9.1 is not vulnerable. Summary: The target repository (MLflow v2.9.1.post4+tuxcare) does not contain the vulnerable code pattern described in CVE-2026-2614. The vulnerability was introduced in version 3.5.0 (September 2025) when prompt registry support was added to webhooks. The target version predates the introduction of the vulnerable feature by approximately 21 months." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:7aacc418-4c92-5b54-a71d-24d81cc5326e", "id": "CVE-2026-2635", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-2635 is fixed in version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:eb76fd92-d64a-5b3a-adbb-8f374f2b92e2", "id": "CVE-2026-2652", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2652 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:128eea42-12ee-5d42-8cae-061aba52c434", "id": "CVE-2026-2734", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2734 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:cb747d4f-81e7-5fef-aa95-257f293ef0c0", "id": "CVE-2026-33865", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33865 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:27f15a2e-ab57-52ab-85f5-8af99882bbd9", "id": "CVE-2026-33866", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33866 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }, { "bom-ref": "urn:uuid:624cc8b4-dc92-514b-a8af-24300f19150c", "id": "CVE-2026-4137", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-4137 affects version 2.9.1.post3+tuxcare of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] } ], "dependencies": [ { "ref": "pkg:pypi/mlflow@2.9.1.post3+tuxcare" } ] }