CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6975 – Path Traversal: '\..\filename'
https://notcve.org/view.php?id=CVE-2023-6975
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. Un usuario malintencionado podría utilizar este problema para ejecutar comandos en la máquina vulnerable y obtener acceso a información de datos y modelos. • https://github.com/mlflow/mlflow/commit/b9ab9ed77e1deda9697fe472fb1079fd428149ee https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6974 – Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6974
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. Un usuario malintencionado podría utilizar este problema para acceder a servidores HTTP internos y, en el peor de los casos (es decir, instancia de AWS), podría ser un abuso obtener una ejecución remota de código en la máquina víctima. • https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555 https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6940 – Command Injection
https://notcve.org/view.php?id=CVE-2023-6940
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system. Con solo una interacción del usuario (descargar una configuración maliciosa), los atacantes pueden obtener la ejecución completa del comando en el sistema víctima. • https://github.com/mlflow/mlflow/commit/5139b1087d686fa52e2b087e09da66aff86297b1 https://huntr.com/bounties/c6f59480-ce47-4f78-a3dc-4bd8ca15029c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6909 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6909
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6831 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6831
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. Path Traversal: '\..\filename' en el repositorio de GitHub mlflow/mlflow anterior a 2.9.2. • https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1 https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •