Lucene search

K

GoogleOSV:GHSA-4QQ5-MXXX-M6GG

HistoryNov 16, 2023 - 9:30 p.m.

MLflow authentication requirement bypass can allow a user to arbitrarily create an account

2023-11-1621:30:46

Google

osv.dev

5

mlflow

authentication bypass

arbitrary account

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.5%

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

CPENameOperatorVersion
mlfloweq2.6.0
mlfloweq1.9.1
mlfloweq0.9.0
mlfloweq1.28.0
mlfloweq0.8.1
mlfloweq2.4.1
mlfloweq1.15.0
mlfloweq1.7.2
mlfloweq1.3.0
mlfloweq1.26.0

Rows per page:

1-10 of 811

References

github.com/mlflow/mlflow

github.com/mlflow/mlflow/commit/32de2154ef9f946160e5dc01a4d8a449dd0bd259

github.com/mlflow/mlflow/issues/9669

github.com/mlflow/mlflow/pull/9700

github.com/mlflow/mlflow/releases/tag/v2.8.0

huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4

nvd.nist.gov/vuln/detail/CVE-2023-6014

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.5%

Related for OSV:GHSA-4QQ5-MXXX-M6GG

prion1 cve1 nvd1 veracode1 cvelist1 osv1 github1