CVE-2023-3765
Published: 19 July 2023
Summary
CVE-2023-3765 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Lfprojects Mlflow. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-3765 is an absolute path traversal vulnerability, tracked as CWE-36, that affects the MLflow machine-learning platform in the GitHub repository mlflow/mlflow prior to version 2.5.0. The flaw received a CVSS 3.1 base score of 10.0, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and changed scope that can produce total loss of confidentiality, integrity, and availability.
An unauthenticated attacker reachable over the network can supply crafted paths that escape intended directories, enabling arbitrary file read or write operations on the server hosting the MLflow instance and potentially leading to full system compromise.
The referenced GitHub commit 6dde93758d42455cb90ef324407919ed67668b9b and the associated huntr.dev report indicate that the issue is resolved by upgrading to MLflow 2.5.0 or later. The EPSS score has reached a peak of 0.9279 with a current value of 0.9145, and the affected component is widely used in machine-learning workflows.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2050
Vulnerability details
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.