CVE-2023-43472
Published: 05 December 2023
Summary
CVE-2023-43472 is a high-severity an unspecified weakness vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-43472 is an information disclosure vulnerability affecting MLflow versions 2.8.1 and earlier. The flaw resides in the REST API and permits remote attackers to retrieve sensitive data through specially crafted requests, as reflected in its CVSS 7.5 rating that emphasizes network-accessible confidentiality impact without authentication requirements.
A remote, unauthenticated attacker can send malicious requests directly to the MLflow REST API endpoint and extract sensitive information from the affected deployment. Because the attack requires no user interaction or credentials, any publicly reachable MLflow instance is potentially exposed.
The referenced Contrast Security analysis describes the issue as a zero-day discovered in the MLflow framework and highlights its relevance to machine-learning model security workflows. The associated EPSS score has reached a peak of 0.7443 with a current value of 0.7277, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3318
Vulnerability details
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.