MLflow Server-Side Request Forgery (SSRF)

GHSA-59v3-898r-qwhj · BIT-mlflow-2023-6974 · CVE-2023-6974

Published Dec 20, 2023 · Modified Feb 14, 2025

Description

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-6974
WEB https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555
WEB https://github.com/mlflow/mlflow
WEB https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes