Vulnerability Details : CVE-2023-6709
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
Products affected by CVE-2023-6709
- cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6709
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6709
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
huntr.dev | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-6709
-
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Assigned by: security@huntr.dev (Primary)
References for CVE-2023-6709
-
https://github.com/mlflow/mlflow/commit/432b8ccf27fd3a76df4ba79bb1bec62118a85625
Use `SandboxedEnvironment` when rendering cards (#10640) · mlflow/mlflow@432b8cc · GitHubPatch
-
https://huntr.com/bounties/9e4cc07b-6fff-421b-89bd-9445ef61d34d
Remote Code Execution due to jinja2 SSTI vulnerability found in mlflowExploit;Issue Tracking;Mitigation;Patch;Third Party Advisory
Jump to