CVE-2023-6976 – mlflow

Package

Manager: pip
Name: mlflow
Vulnerable Version: >=0 <2.9.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00107 pctl0.29507

Details

MLflow Path Traversal Vulnerability This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

Metadata

Created: 2023-12-20T06:30:25Z
Modified: 2023-12-20T20:36:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-wv8q-4f85-2p8p/GHSA-wv8q-4f85-2p8p.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-wv8q-4f85-2p8p
Finding: F027
Auto approve: 1