CVE-2023-6568

CVSS V2 None CVSS V3 None

Description

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

Overview

CVE ID
CVE-2023-6568

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2023-12-07T04:54:10.377Z

Last Modified Date
2024-04-16T11:10:43.084Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/816bdaaa-8153-4732-951e-b0d92fddf709
https://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-6568
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6568

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 06:17:08				Added to TrackCVE