CVSS: 6.5EPSS: 17%CPEs: 1EXPL: 1CVE-2023-6568 – Reflected XSS via Content-Type Header in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-6568
07 Dec 2023 — A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the us... • https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 78%CPEs: 1EXPL: 1CVE-2023-43472
https://notcve.org/view.php?id=CVE-2023-43472
05 Dec 2023 — An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. Un problema en las versiones 2.8.1 y anteriores de MLFlow permite que un atacante remoto obtenga información confidencial a través de una solicitud manipulada a la API REST. • https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6015 – MLflow Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6015
16 Nov 2023 — MLflow allowed arbitrary files to be PUT onto the server. MLflow permitió PONER archivos arbitrarios en el servidor. • https://huntr.com/bounties/43e6fb72-676e-4670-a225-15d6836f65d3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4033 – OS Command Injection in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-4033
01 Aug 2023 — OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. • https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 92%CPEs: 2EXPL: 1CVE-2023-3765 – Absolute Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-3765
19 Jul 2023 — Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. • https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 86%CPEs: 1EXPL: 1CVE-2023-2780 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-2780
17 May 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. • https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30172
https://notcve.org/view.php?id=CVE-2023-30172
11 May 2023 — A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. • https://github.com/mlflow/mlflow/issues/7166 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 82%CPEs: 1EXPL: 1CVE-2023-2356 – Relative Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-2356
28 Apr 2023 — Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. • https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342 • CWE-23: Relative Path Traversal •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1176 – Absolute Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-1176
24 Mar 2023 — Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. • https://github.com/mlflow/mlflow/commit/63ef72aa4334a6473ce7f889573c92fcae0b3c0d • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 8CVE-2023-1177 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-1177
24 Mar 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. • https://github.com/iumiro/CVE-2023-1177-MLFlow • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •