PT-2023-32744 · Jinja2+1 · Jinja2+1

Publicado

2023-12-11

Atualizado

2024-03-06

CVE-2023-6709

CVSS v3.1

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions prior to 2.9.2

Description The issue is related to improper neutralization of special elements used in a template engine. This can lead to remote code execution due to jinja2 SSTI in MLflow.

Recommendations For versions prior to 2.9.2, update to version 2.9.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of the template engine until a patch is available. Restrict access to the vulnerable template engine to minimize the risk of exploitation.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1336

Identificadores relacionados

BIT-MLFLOW-2023-6709

CVE-2023-6709

GHSA-CXFR-5Q3R-2RC2

PYSEC-2023-281

Produtos afetados

Jinja2

Mlflow

PT-2023-32744 · Jinja2+1 · Jinja2+1

CVE-2023-6709

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 16