CVE-2023-1177

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-1177
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e Patch
https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28 Exploit Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
History

02 Nov 2023, 18:15

Type Values Removed Values Added
CWE CWE-22 CWE-29

25 Oct 2023, 20:30

Type Values Removed Values Added
CWE CWE-29 CWE-22
References (MISC) https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e - (MISC) https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e - Patch

10 Oct 2023, 08:15

Type Values Removed Values Added
Summary Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
References
  • {'url': 'https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e', 'name': 'https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e', 'tags': ['Patch'], 'refsource': 'MISC'}
  • (MISC) https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e -

28 Mar 2023, 14:42

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
First Time Lfprojects mlflow
Lfprojects
CPE cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
References (MISC) https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e - (MISC) https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e - Patch
References (CONFIRM) https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28 - (CONFIRM) https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28 - Exploit, Patch, Third Party Advisory

24 Mar 2023, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-03-24 15:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-1177

Mitre link : CVE-2023-1177

CVE.ORG link : CVE-2023-1177

JSON object : View

Products Affected

lfprojects

  • mlflow
CWE
CWE-29

Path Traversal: '\..\filename'

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')