Mlflow
CVE-2023-1176
LOW
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 6 pypi packages depend on mlflow (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.2.1.
DescriptionNVD
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
AnalysisAI
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-36. Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. Affected products include: Lfprojects Mlflow. Version information: prior to 2.2.2..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. Rated critical severity (CVSS 10.0), this vul
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it cou
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. Rated critical s
An attacker can overwrite any file on the server hosting MLflow without any authentication. Rated critical severity (CVS
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. Rated critical severity (CVSS 9.8), th
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. Rated critical severity (CVSS 9.8), th
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. Rated critical se
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. Rated critical severity (CVSS 9.6), t
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of specia
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today