CRITICAL 9.1
GHSA-4qq5-mxxx-m6gg
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
Details
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-6014 [ADVISORY]
- https://github.com/mlflow/mlflow/issues/9669 [WEB]
- https://github.com/mlflow/mlflow/pull/9700 [WEB]
- https://github.com/mlflow/mlflow/commit/32de2154ef9f946160e5dc01a4d8a449dd0bd259 [WEB]
- https://github.com/mlflow/mlflow [PACKAGE]
- https://github.com/mlflow/mlflow/releases/tag/v2.8.0 [WEB]
- https://huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4 [WEB]