CVE-2025-11200 — MLflow Weak Password Requirements Authentication Bypass Vulnerability

描述

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

如何修補 CVE-2025-11200

要修補 CVE-2025-11200,請將受影響套件升級到下列已修補版本。

—升級至 2.21.1 或更新版本
—升級至 2.22.0rc0 或更新版本

CVE-2025-11200 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(2)

from 0, < 2.21.1
from 0, < 2.22.0rc0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11200
PATCHgithub.com/mlflow/mlflow
WEBgithub.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54
WEBwww.zerodayinitiative.com/advisories/ZDI-25-932
WEB