CVSS: 7.8EPSS: 44%CPEs: 1EXPL: 1CVE-2023-6909 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6909
18 Dec 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 8.5EPSS: 39%CPEs: 1EXPL: 1CVE-2023-6831 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6831
15 Dec 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path Traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 1CVE-2023-6753 – Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6753
13 Dec 2023 — Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. Path traversal en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6709 – Improper Neutralization of Special Elements Used in a Template Engine in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6709
12 Dec 2023 — Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2. Neutralización inadecuada de elementos especiales utilizados en un motor de plantillas en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 6.5EPSS: 6%CPEs: 1EXPL: 1CVE-2023-6568 – Reflected XSS via Content-Type Header in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6568
07 Dec 2023 — A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the us... • https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 23%CPEs: 1EXPL: 1CVE-2023-43472
https://notcve.org/view.php?id=CVE-2023-43472
05 Dec 2023 — An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. Un problema en las versiones 2.8.1 y anteriores de MLFlow permite que un atacante remoto obtenga información confidencial a través de una solicitud manipulada a la API REST. • https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6014 – MLflow Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-6014
16 Nov 2023 — An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. Un atacante puede crear arbitrariamente una cuenta en MLflow sin pasar por ningún requisito de autenticación. • https://huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4 • CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6015 – MLflow Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6015
16 Nov 2023 — MLflow allowed arbitrary files to be PUT onto the server. MLflow permitió PONER archivos arbitrarios en el servidor. • https://huntr.com/bounties/43e6fb72-676e-4670-a225-15d6836f65d3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 54%CPEs: 1EXPL: 1CVE-2023-6018 – MLflow Arbitrary File Write
https://notcve.org/view.php?id=CVE-2023-6018
16 Nov 2023 — An attacker can overwrite any file on the server hosting MLflow without any authentication. Un atacante puede sobrescribir cualquier archivo en el servidor que aloja MLflow sin ninguna autenticación. • https://huntr.com/bounties/7cf918b5-43f4-48c0-a371-4d963ce69b30 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4033 – OS Command Injection in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-4033
01 Aug 2023 — OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. • https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •