Cyber Resilience

CVE-2023-3765

CriticalPublic PoC

Published: 19 July 2023

Published
19 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9145 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3765 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Lfprojects Mlflow. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-3765 is an absolute path traversal vulnerability, tracked as CWE-36, that affects the MLflow machine-learning platform in the GitHub repository mlflow/mlflow prior to version 2.5.0. The flaw received a CVSS 3.1 base score of 10.0, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and changed scope that can produce total loss of confidentiality, integrity, and availability.

An unauthenticated attacker reachable over the network can supply crafted paths that escape intended directories, enabling arbitrary file read or write operations on the server hosting the MLflow instance and potentially leading to full system compromise.

The referenced GitHub commit 6dde93758d42455cb90ef324407919ed67668b9b and the associated huntr.dev report indicate that the issue is resolved by upgrading to MLflow 2.5.0 or later. The EPSS score has reached a peak of 0.9279 with a current value of 0.9145, and the affected component is widely used in machine-learning workflows.

EU & UK References

Vulnerability details

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lfprojects
mlflow
≤ 2.5.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References