Mlflow@* Security Vulnerabilities and Issues — Mlflow@* CVE List

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...

6.5CVSS5.9AI score0.17713EPSS

CVE•added 2023/05/11 2:15 a.m.•60 views

CVE-2023-30172

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.

7.5CVSS7.3AI score0.00449EPSS

CVE•added 2023/07/19 1:15 a.m.•59 views

CVE-2023-3765

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

10CVSS9.4AI score0.9279EPSS

CVE•added 2023/11/16 9:15 p.m.•56 views

CVE-2023-6014

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

9.8CVSS9.5AI score0.00671EPSS

CVE•added 2023/12/20 6:15 a.m.•55 views

CVE-2023-6977

This vulnerability enables malicious users to read sensitive files on the server.

10CVSS7.4AI score0.84942EPSS

CVE•added 2023/11/16 4:15 p.m.•53 views

CVE-2023-6015

MLflow allowed arbitrary files to be PUT onto the server.

10CVSS7.6AI score0.00767EPSS

CVE•added 2023/12/15 1:15 a.m.•52 views

CVE-2023-6831

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

8.1CVSS8AI score0.80382EPSS

CVE•added 2023/08/01 1:15 a.m.•44 views

CVE-2023-4033

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

8.8CVSS8AI score0.00156EPSS

CVE•added 2023/12/20 6:15 a.m.•43 views

CVE-2023-6974

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

9.8CVSS9.4AI score0.02591EPSS

CVE•added 2023/12/19 2:15 a.m.•42 views

CVE-2023-6940

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

9CVSS8.9AI score0.00115EPSS

CVE•added 2023/12/13 12:15 a.m.•41 views

CVE-2023-6753

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

9.6CVSS8.7AI score0.02505EPSS

CVE•added 2023/12/05 7:15 a.m.•36 views

CVE-2023-43472

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

7.5CVSS7.1AI score0.78536EPSS

CVE•added 2023/12/12 4:15 a.m.•33 views

CVE-2023-6709

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

10CVSS8.7AI score0.002EPSS

CVE•added 2023/12/20 6:15 a.m.•33 views

CVE-2023-6975

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

9.8CVSS9.6AI score0.01542EPSS

CVE•added 2023/12/20 6:15 a.m.•29 views

CVE-2023-6976

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

8.8CVSS8.7AI score0.00107EPSS