CVE-2023-6974

CRITICAL9.8EPSS 2.6%

MLflow Server-Side Request Forgery (SSRF)

Published: 12/20/2023Modified: 2/14/2025

Also known as:GHSA-59v3-898r-qwhjBIT-mlflow-2023-6974

Description

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.

Affected packages (2)

Bitnami/mlflowfrom 0, < 2.9.2
PyPI/mlflowfrom 0, < 2.9.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-6974
WEBhttps://github.com/mlflow/mlflow
WEBhttps://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555
WEBhttps://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393