|
|
|||
| Rule General Information |
|---|
| Release Date: | 2025-05-14 | |
| Rule Name: | Mlflow Path Traversal Vulnerability (CVE-2023-2356) | |
| Severity: | Critical | |
| CVE ID: | CVE-2023-2356 | |
| Rule Protection Details |
|---|
| Description: | Mlflow is an open source machine learning lifecycle management platform designed to simplify the development, tracking, deployment, and management of machine learning projects. It supports the entire machine learning workflow from experiment tracking, model registration, model deployment to project packaging. Mlflow versions earlier than have security vulnerabilities. An attacker could exploit the vulnerability to access files and directories stored outside of the web root folder. | |
| Impact: | An attacker could exploit this vulnerability to have unspecified effect. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342 https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896 |
|
| Solutions |
|---|
| Please refer to announcements or patches release by the vendor: https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342 |