PT-2023-32744 · Jinja2+1 · Jinja2+1

Published

2023-12-11

Updated

2024-03-06

CVE-2023-6709

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions prior to 2.9.2

Description The issue is related to improper neutralization of special elements used in a template engine. This can lead to remote code execution due to jinja2 SSTI in MLflow.

Recommendations For versions prior to 2.9.2, update to version 2.9.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of the template engine until a patch is available. Restrict access to the vulnerable template engine to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

BIT-MLFLOW-2023-6709

CVE-2023-6709

GHSA-CXFR-5Q3R-2RC2

PYSEC-2023-281

Affected Products

Jinja2

Mlflow

PT-2023-32744 · Jinja2+1 · Jinja2+1

CVE-2023-6709

Weakness Enumeration

Related Identifiers

Affected Products

References · 16