{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:eee828cd-108b-59e5-a45b-e192488f00cd", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/mlflow@2.9.1", "type": "library", "name": "mlflow", "version": "2.9.1", "purl": "pkg:pypi/mlflow@2.9.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c81244ca-7b50-5ec0-8359-7cb4193eaac9", "id": "CVE-2023-6831", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6831 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:a2507d4f-124d-5c4b-a45c-abbf4e83ec4c", "id": "CVE-2023-6940", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6940 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:4b884adb-f990-55ba-bbb4-ada791b5d48a", "id": "CVE-2023-6976", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6976 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:303b0fac-c647-5e67-a3c7-14f763042db9", "id": "CVE-2023-6977", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-6977 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:84a492fe-8dfc-518b-8135-652dee058883", "id": "CVE-2024-1483", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1483 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:73acb354-caf0-5740-b79f-e77ad3983b96", "id": "CVE-2024-1558", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1558 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:8e95a23f-cc9e-5c36-be1a-5ef05464e754", "id": "CVE-2024-1560", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1560 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:c5ecb103-53a7-5081-bac2-5cafc956e686", "id": "CVE-2024-1594", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-1594 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:9c5bf44b-5499-5979-a4c2-84793852e92e", "id": "CVE-2024-3099", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-3099 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:cdcac64c-564c-5864-84d6-77ff07129a1c", "id": "CVE-2024-37052", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-37052 does not affect version 2.9.1 of mlflow. already_fixed \u2014 The target MLflow 2.9.1 codebase contains the fix for CVE-2024-37052 (unsafe pickle deserialization in scikit-learn model loading). The MLFLOW_ALLOW_PICKLE_DESERIALIZATION environment variable check was added in prior TuxCare backports (commits d58ee98ca for initial guard, 98a32847a for CVE-2024-37056, cf8bc9c26 for CVE-2024-37053). However, the defense defaults to True (allowing deserializatio..." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:808437ce-e541-5ac8-b969-e45fd703fa17", "id": "CVE-2024-37054", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37054 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:71133190-7078-5a5e-890b-73a3b5ef65b4", "id": "CVE-2024-37057", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37057 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:d8dea7db-dedf-58a6-9510-ad883c1efd59", "id": "CVE-2024-37058", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37058 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:1bc72023-53bb-5082-b225-305be5666524", "id": "CVE-2024-37059", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37059 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:6f9604fd-173a-5b26-9fe2-e9e1285e9191", "id": "CVE-2024-37060", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37060 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:b1003416-dfd9-5a96-99e8-ebeb0b67ee03", "id": "CVE-2024-37061", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-37061 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:192a359f-286f-55d4-8477-9ace90787fae", "id": "CVE-2024-4263", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-4263 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:87b14e93-c260-5127-a32b-b8b58056b9aa", "id": "CVE-2025-0453", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-0453 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:ad1ca289-28c6-596f-944e-838c25cf4a17", "id": "CVE-2025-1474", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-1474 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:c53ecf26-b432-5d80-b4a7-2cf25a3dc128", "id": "CVE-2025-15031", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15031 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:bddeac9c-a5c3-5ed2-a99b-62e4fd111164", "id": "CVE-2025-15036", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15036 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:97392311-7f6c-579b-9c16-47f2f7c2a1cd", "id": "CVE-2025-15379", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-15379 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:49f6929b-04e1-5abe-b2f7-d6fb335c496f", "id": "CVE-2025-15381", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2025-15381 does not affect version 2.9.1 of mlflow. not_affected \u2014 MLflow version 2.9.1 does not contain tracing and assessment features. These features appear to have been introduced in a later version of mlflow. The vulnerability pattern described in CVE-2025-15381 (missing permission validators on tracing and assessment endpoints when basic-auth is enabled) cannot exist in a version that does not have these endpoints." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:25554de8-02dc-5bad-8fec-4cd43183a87e", "id": "CVE-2026-0545", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0545 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:9930a0da-f102-5737-87cb-62c8a4703a2a", "id": "CVE-2026-0596", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0596 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:40fe8cbf-2014-5727-8ee0-edff8a6c32ab", "id": "CVE-2026-2393", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2393 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:bf6ad8ff-9de3-5119-a62c-887f00966e2b", "id": "CVE-2026-2614", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-2614 does not affect version 2.9.1 of mlflow. Version 2.9.1 is not vulnerable. Summary: The target repository (MLflow v2.9.1.post4+tuxcare) does not contain the vulnerable code pattern described in CVE-2026-2614. The vulnerability was introduced in version 3.5.0 (September 2025) when prompt registry support was added to webhooks. The target version predates the introduction of the vulnerable feature by approximately 21 months." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:a4752ae2-0e62-5240-9f27-96d4e9cd4390", "id": "CVE-2026-2652", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2652 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:d1d97b3e-78ed-5458-85cc-e89248ef5f60", "id": "CVE-2026-2734", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2734 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:02d28135-f7f8-5cb9-8396-e38d49d27174", "id": "CVE-2026-33865", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33865 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:033d98c9-7c6b-5461-b93e-da054bdd0984", "id": "CVE-2026-33866", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33866 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }, { "bom-ref": "urn:uuid:5b23f9d2-6863-5183-ba92-5e8ba8b9d860", "id": "CVE-2026-4137", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-4137 affects version 2.9.1 of mlflow." }, "affects": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] } ], "dependencies": [ { "ref": "pkg:pypi/mlflow@2.9.1" } ] }