Cyber Resilience

CVE-2023-2356

HighPublic PoC

Published: 28 April 2023

Published
28 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8902 99.5th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2356 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-2356 is a relative path traversal vulnerability (CWE-23) affecting the MLflow open-source machine-learning platform in the mlflow/mlflow GitHub repository prior to version 2.3.1. The flaw received a CVSS 3.1 base score of 7.5, reflecting network attackability with no required credentials or user interaction and a high impact on confidentiality.

An unauthenticated remote attacker can supply crafted path sequences to read arbitrary files on the server hosting the MLflow instance, exposing sensitive configuration data, credentials, or model artifacts without affecting integrity or availability.

The referenced GitHub commit and corresponding huntr.dev report document the fix that was merged to close the traversal issue; practitioners should upgrade to MLflow 2.3.1 or later. The associated EPSS score remains elevated (current 0.8902, peak 0.9049), indicating sustained exploitation interest for this ML-specific component.

EU & UK References

Vulnerability details

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lfprojects
mlflow
≤ 2.3.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References