CVE-2023-6909

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6568

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...

CVE-2023-6977

This vulnerability enables malicious users to read sensitive files on the server.

CVE-2023-6831

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6974

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

CVE-2023-6940

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

CVE-2023-6753

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-43472

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

CVE-2023-6709

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6975

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CVE-2023-6976

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.