9.8CVSS
9.3AI Score
0.279EPSS
9.8CVSS
9.4AI Score
0.033EPSS
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
9.8CVSS
9.4AI Score
0.001EPSS
An attacker can overwrite any file on the server hosting MLflow without any authentication.
9.8CVSS
9.4AI Score
0.89EPSS
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.
9.8CVSS
9.4AI Score
0.003EPSS
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
9.8CVSS
9.5AI Score
0.001EPSS
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the mis...
9.3CVSS
9.2AI Score
0.0004EPSS