Lucene search

K

GitHub Advisory DatabaseGHSA-4QQ5-MXXX-M6GG

HistoryNov 16, 2023 - 9:30 p.m.

MLflow authentication requirement bypass can allow a user to arbitrarily create an account

2023-11-1621:30:46

CWE-598

GitHub Advisory Database

github.com

3

mlflow

authentication bypass

arbitrary account creation

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

43.5%

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

Affected configurations

Vulners

Node

lfprojectsmlflowRange<2.8.0

CPENameOperatorVersion
mlflowlt2.8.0

References

github.com/advisories/GHSA-4qq5-mxxx-m6gg

github.com/mlflow/mlflow/commit/32de2154ef9f946160e5dc01a4d8a449dd0bd259

github.com/mlflow/mlflow/issues/9669

github.com/mlflow/mlflow/pull/9700

github.com/mlflow/mlflow/releases/tag/v2.8.0

huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4

nvd.nist.gov/vuln/detail/CVE-2023-6014

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

43.5%

Related for GHSA-4QQ5-MXXX-M6GG

prion1 cve1 nvd1 veracode1 cvelist1 osv2