Cyber Resilience

CVE-2023-6940

HighRCE

Published: 19 December 2023

Published
19 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6940 is a high-severity Command Injection (CWE-77) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

EU & UK References

Vulnerability details

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Reported on Huntr, a bug bounty platform specifically for AI/ML vulnerabilities, indicating AI-related software affected, though specific software not named in provided text; vulnerability involves malicious config leading to RCE, common in AI/ML tools with config loaders.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability allows attackers to gain full command execution on the victim system with one user interaction (downloading a malicious config file), enabling Exploitation for Client Execution.

Affected Assets

lfprojects
mlflow
≤ 2.9.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References