Product Research Enterprise Plans Docs

PyPi: Zenml

CVE-2023-1177

Transitive

Safety vulnerability ID: 54847

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 24, 2023 Updated at Nov 12, 2024

Scan your Python projects for vulnerabilities →

Advisory

Zenml 0.37.0 updates its dependency "mlflow' requirement to '>=1.24.0,<=2.2.2' to include a security fix.

Affected package

zenml

Latest version: 0.70.0

ZenML: Write production-ready ML code.

Affected versions

Fixed versions

Vulnerability changelog

In this ZenML release, we are pleased to introduce a compelling new feature:
[ZenML Code Repositories](https://docs.zenml.io/starter-guide/production-fundamentals/code-repositories).
This innovative addition formalizes the principles of code versioning and
tracking while consolidating their pivotal role in executing pipelines and
caching pipeline steps. With Code Repositories, ZenML is equipped to maintain an
accurate record of the code version employed in your pipeline runs. Furthermore,
executing a pipeline that is monitored by a registered code repository can
significantly accelerate the Docker image building process for containerized
stack components.

As is the case with everything ZenML, we designed the ZenML Code Repository
concept as a highly extensible abstraction. The update defines the basic Code
Repository interface an includes two implementations integrating ZenML with
two popular code repository flavors: GitHub and GitLab.

Other Enhancements

We've updated the `pytorch-lightning` integration to support the `2.0` version.
We also updated the `mlflow` integration to support the `2.2.2` version.

**IMPORTANT**: it is not recommended to continue using MLflow older than `2.2.1`
as a model registry with ZenML, as [it is vulnerable to a security issue](https://github.com/advisories/GHSA-xg73-94fp-g449).

Last but not least, two stellar additions from our community members:

* `zenml stack delete` now supports a `--recursive` flag to delete all
components in a stack. Many thanks to KenmogneThimotee for the contribution!
* the ZenML Sagemaker step operator has been expanded to support S3 input data
and additional input arguments. Many thanks to christianversloot for the
contribution!

Breaking Changes

The ZenML GitHub Orchestrator and GitHub Secrets Manager have been removed in
this release. Given that their concerns overlapped with the new ZenML GitHub
Code Repository and they didn't provide sufficient value on their own, we
decided to discontinue them. If you were using these components, you can
continue to use GitHub Actions to run your pipelines, in combination with the
ZenML GitHub Code Repository.

What's Changed
* Test integration for seldon example by safoinme in https://github.com/zenml-io/zenml/pull/1285
* Update `pytorch-lightning` to support `2.0` by safoinme in https://github.com/zenml-io/zenml/pull/1425
* Code repository by schustmi in https://github.com/zenml-io/zenml/pull/1344
* Bump `ruff` to 0.259 by strickvl in https://github.com/zenml-io/zenml/pull/1439
* Change `pipeline_run_id` to `run_name` by safoinme in https://github.com/zenml-io/zenml/pull/1390
* Update `mypy>=1.1.1` and fix new errors by safoinme in https://github.com/zenml-io/zenml/pull/1432
* Add `--upgrade` option to ZenML integration install by safoinme in https://github.com/zenml-io/zenml/pull/1435
* Bump `MLflow` to 2.2.2 by safoinme in https://github.com/zenml-io/zenml/pull/1441
* HuggingFace Spaces server deployment option by strickvl in https://github.com/zenml-io/zenml/pull/1427
* Bugfix for server import by bcdurak in https://github.com/zenml-io/zenml/pull/1442
* Fix HF Spaces URL by strickvl in https://github.com/zenml-io/zenml/pull/1444
* Remove all `zenml.cli` imports outside of `zenml.cli` by fa9r in https://github.com/zenml-io/zenml/pull/1447
* Add recursive deletion of components for `zenml stack delete` by KenmogneThimotee in https://github.com/zenml-io/zenml/pull/1437
* Temporarily disable primary key requirement for newer mysql versions by schustmi in https://github.com/zenml-io/zenml/pull/1450
* Add step name suffix for sagemaker job name by schustmi in https://github.com/zenml-io/zenml/pull/1452
* Code repo docs by schustmi in https://github.com/zenml-io/zenml/pull/1448
* Allow resource settings for airflow kubernetes pod operators by schustmi in https://github.com/zenml-io/zenml/pull/1378
* SageMaker step operator: expand input arguments and add support for S3 input data by christianversloot in https://github.com/zenml-io/zenml/pull/1381
* Add Screenshots to Code Repo Token by safoinme in https://github.com/zenml-io/zenml/pull/1454

New Contributors
* KenmogneThimotee made their first contribution in https://github.com/zenml-io/zenml/pull/1437
* christianversloot made their first contribution in https://github.com/zenml-io/zenml/pull/1381

**Full Changelog**: https://github.com/zenml-io/zenml/compare/0.36.1...0.37.0

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1177

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH