CVE-2023-6940
Published: 19 December 2023
Summary
CVE-2023-6940 is a high-severity Command Injection (CWE-77) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3227
Vulnerability details
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Reported on Huntr, a bug bounty platform specifically for AI/ML vulnerabilities, indicating AI-related software affected, though specific software not named in provided text; vulnerability involves malicious config leading to RCE, common in AI/ML tools with config loaders.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows attackers to gain full command execution on the victim system with one user interaction (downloading a malicious config file), enabling Exploitation for Client Execution.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.