-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mlflow | pip | < 2.9.2 | 2.9.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from calling validate_path_is_safe() without using its returned sanitized path. The pre-patch code validated paths but continued using original user input, allowing traversal via '../' sequences. The commit fixes this by assigning path = validate_path_is_safe(path). Key handlers in handlers.py and http_artifact_repo.py that process user-supplied paths for file operations were vulnerable. The high confidence comes from the direct correlation between the patch changes and CWE-434's unrestricted upload pattern.