CVE-2023-6976
published 2023-12-20CVE-2023-6976: This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.01%
58.7th percentile
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 2.9.2 | 2.9.2 |
| lfprojects | mlflow | >= 0 < 2.9.2 | 2.9.2 |
| mlflow | mlflow_mlflow | >= unspecified < 2.9.2 | 2.9.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow Path Traversal Vulnerability
ghsa·2023-12-20
CVE-2023-6976 [HIGH] CWE-434 MLflow Path Traversal Vulnerability
MLflow Path Traversal Vulnerability
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
OSV
MLflow Path Traversal Vulnerability
osv·2023-12-20
CVE-2023-6976 [HIGH] MLflow Path Traversal Vulnerability
MLflow Path Traversal Vulnerability
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-12-20
Published