CVE-2023-6014
published 2023-11-16CVE-2023-6014: An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.16%
63.1th percentile
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mlflow | mlflow_mlflow | >= 0 < 2.8.0 | 2.8.0 |
| mlflow | mlflow_mlflow | unspecified – latest | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
ghsa·2023-11-16
CVE-2023-6014 [CRITICAL] CWE-598 MLflow authentication requirement bypass can allow a user to arbitrarily create an account
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.
OSV
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
osv·2023-11-16
CVE-2023-6014 [CRITICAL] MLflow authentication requirement bypass can allow a user to arbitrarily create an account
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-16
Published