CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2023-43472
https://notcve.org/view.php?id=CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. Un problema en las versiones 2.8.1 y anteriores de MLFlow permite que un atacante remoto obtenga información confidencial a través de una solicitud manipulada a la API REST. • https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6014 – MLflow Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-6014
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. Un atacante puede crear arbitrariamente una cuenta en MLflow sin pasar por ningún requisito de autenticación. • https://huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4 • CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6015 – MLflow Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6015
MLflow allowed arbitrary files to be PUT onto the server. MLflow permitió PONER archivos arbitrarios en el servidor. • https://huntr.com/bounties/43e6fb72-676e-4670-a225-15d6836f65d3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 91%CPEs: 1EXPL: 1CVE-2023-6018 – MLflow Arbitrary File Write
https://notcve.org/view.php?id=CVE-2023-6018
An attacker can overwrite any file on the server hosting MLflow without any authentication. Un atacante puede sobrescribir cualquier archivo en el servidor que aloja MLflow sin ninguna autenticación. • https://huntr.com/bounties/7cf918b5-43f4-48c0-a371-4d963ce69b30 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4033 – OS Command Injection in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-4033
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. • https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b https://huntr.dev/bounties/5312d6f8-67a5-4607-bd47-5e19966fa321 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •