CVE-2023-2356
Published: 28 April 2023
Summary
CVE-2023-2356 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2356 is a relative path traversal vulnerability (CWE-23) affecting the MLflow open-source machine-learning platform in the mlflow/mlflow GitHub repository prior to version 2.3.1. The flaw received a CVSS 3.1 base score of 7.5, reflecting network attackability with no required credentials or user interaction and a high impact on confidentiality.
An unauthenticated remote attacker can supply crafted path sequences to read arbitrary files on the server hosting the MLflow instance, exposing sensitive configuration data, credentials, or model artifacts without affecting integrity or availability.
The referenced GitHub commit and corresponding huntr.dev report document the fix that was merged to close the traversal issue; practitioners should upgrade to MLflow 2.3.1 or later. The associated EPSS score remains elevated (current 0.8902, peak 0.9049), indicating sustained exploitation interest for this ML-specific component.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0158
Vulnerability details
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.