CVE-2024-27454

Advisory

Mlrun 1.7.0rc8 updates its orjson requirement, now demanding a minimum version of 3.9.15 but staying below 4.0, to tackle the vulnerabilities highlighted in CVE-2024-27454.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Features / Enhancements
* **Nuclio**: Api gateway system test, 5374, rokatyy
* **Make**: Add comments describing the logic behind container cleanups, 5400, yanburman
* **Tests**: Add dask coverage in datastore tests, 5371, tomerm-iguazio
* **Errors**: Use `error_to_str()` to format exceptions, 5404, yanburman
* **Tests**: Print mlrun-api logs in integ test in human readable form, 5402, yanburman
* **Projects**: Expose project level default function node selector via sdk for user interface, 5369, yaelgen
* **Requirements**: Allow for newer versions of fsspec, 5383, gtopper
* **Requirements**: Tighten pydantic upperbound due to breakage upstream, 5390, gtopper
* **FeatureStore**: Add default value for ds profile url, 5386, alxtkr77
* **Project**: Use job kind by default if not specified, 5224, Yacouby
* **Pagination**: Phase iv - handle permission filtering on paginated requests, 5385, quaark
* **Tests**: Allow running tests after previous failure, 5384, yanburman
* **Requirements**: Raise minimum `orjson` version due to cve-2024-27454, 5382, gtopper
* **UI**: [Features & enhancement](https://github.com/mlrun/ui/releases/tag/v1.7.0-rc8#features-and-enhancements)

Bug fixes
* **Model Monitoring**: Fix security issue - delete pipelines access key from serving env, 5393, davesh0812
* **Tests**: Fix `testbatchdrift::test_batch_drift` system test, 5394, davesh0812
* **Tensorflow**: Fix import, 5375, gtopper
* **Pipelines**: Fix sensitive data appearing in pipeline metadata artifact, 5373, quaark
* **Pagination**: Phase iv.5 - fix no pagination on authenticated request and refactor config, 5387, quaark
* **Retryer**: Fix retryer not keeping last exception, 5376, alonmr
* **Docs**: Fix cheat sheet usage of `kafkatarget`, 5372, gtopper
* **UI**: [Bug fixes](https://github.com/mlrun/ui/releases/tag/v1.7.0-rc8#bug-fixes)


Pull requests:
cc1ff1e9 [Model Monitoring] Fix security issue - delete pipelines access key from serving env (5393)
989d496b [Nuclio] API Gateway system test (5374)
a72edcde [Make] Add comments describing the logic behind container cleanups (5400)
492d5eea [Tests] Fix `TestBatchDrift::test_batch_drift` system test (5394)
a6903389 [Tests] Add dask coverage in datastore tests (5371)
292d4eec [Errors] Use `error_to_str()` to format exceptions (5404)
7ad90eef [Tests] Print mlrun-api logs in integ test in human readable form (5402)
c723f751 [Projects] Expose Project level default function node selector via SDK for user interface (5369)
5837ce36 [Tensorflow] Fix import (5375)
0e4b2eae [Requirements] Allow for newer versions of fsspec (5383)
cbafd621 [Requirements] Tighten pydantic upperbound due to breakage upstream (5390)
7cc4fa65 [FeatureStore] Add default value for ds profile url (5386)
404d8ffe [Pipelines] Fix sensitive data appearing in pipeline metadata artifact (5373)
33d5edff [Pagination] Phase IV.5 - Fix No Pagination on authenticated request and Refactor Config (5387)
14cc5e28 [Project] Use job kind by default if not specified (5224)
acebdc44 [Pagination] Phase IV - Handle Permission Filtering on Paginated Requests (5385)
31bed60f [Tests] Allow running tests after previous failure (5384)
812813ef [Retryer] Fix retryer not keeping last exception (5376)
61818c4e [Requirements] Raise minimum `orjson` version due to CVE-2024-27454 (5382)
a95fefd8 [Docs] Fix cheat sheet usage of `KafkaTarget` (5372)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27454