漏洞描述
MLflow 是一个机器学习的开源平台。MLflow 开源平台 get-artifact 存在目录遍历漏洞,攻击者可通过路径遍历读取系统所有敏感文件,例如 SSH 密钥或内部配置文件,可能导致敏感信息泄露。
MLflow get-artifact /ajax-api/2.0/mlflow/experiments/create 目录遍历漏洞 (CVE-2023-6909)
PoC代码
暂无相关漏洞推荐
- POC CVE-2023-1177: Mlflow <2.2.1 - Local File Inclusion
- POC CVE-2023-2356: Mlflow <2.3.0 - Local File Inclusion
- POC CVE-2023-2780: Mlflow <2.3.1 - Local File Inclusion Bypass
- POC CVE-2023-3765: MLflow Absolute Path Traversal
- POC CVE-2023-43472: MLFlow < 2.8.1 - Sensitive Information Disclosure
- POC CVE-2023-6018: Mlflow - Arbitrary File Write
- POC CVE-2023-6568: Mlflow - Cross-Site Scripting
- POC CVE-2023-6831: mlflow - Path Traversal
- POC CVE-2023-6909: Mlflow <2.9.2 - Path Traversal
- POC CVE-2023-6977: Mlflow <2.8.0 - Local File Inclusion
- POC CVE-2024-1483: Mlflow < 2.9.2 - Path Traversal
- POC CVE-2024-2928: MLflow < 2.11.3 - Path Traversal
- POC CVE-2024-3848: Mlflow < 2.11.0 - Path Traversal