漏洞描述
未授权访问漏洞是指攻击者未经过身份验证或绕过身份验证机制,就能够访问系统资源或执行敏感操作的安全漏洞。这种漏洞可能导致敏感信息泄露、数据篡改、服务中断等严重后果,给系统安全性带来极大威胁。
MLflow 默认没有认证功能,导致任意用户都可以进入系统进行操作,详情参考:https://avd.aliyun.com/detail?id=AVD-2023-1660217×tamp__1384=n4%2BxnDBDRDyDgDGOxBqtoQ0QkYwDTWYUeD
MLflow 未授权访问漏洞
PoC代码
暂无相关漏洞推荐
- POC CVE-2023-1177: Mlflow <2.2.1 - Local File Inclusion
- POC CVE-2023-2356: Mlflow <2.3.0 - Local File Inclusion
- POC CVE-2023-2780: Mlflow <2.3.1 - Local File Inclusion Bypass
- POC CVE-2023-3765: MLflow Absolute Path Traversal
- POC CVE-2023-43472: MLFlow < 2.8.1 - Sensitive Information Disclosure
- POC CVE-2023-6018: Mlflow - Arbitrary File Write
- POC CVE-2023-6568: Mlflow - Cross-Site Scripting
- POC CVE-2023-6831: mlflow - Path Traversal
- POC CVE-2023-6909: Mlflow <2.9.2 - Path Traversal
- POC CVE-2023-6977: Mlflow <2.8.0 - Local File Inclusion
- POC CVE-2024-1483: Mlflow < 2.9.2 - Path Traversal
- POC CVE-2024-2928: MLflow < 2.11.3 - Path Traversal
- POC CVE-2024-3848: Mlflow < 2.11.0 - Path Traversal