BIT-mlflow-2023-6568

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2023-6568.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-mlflow-2023-6568
Aliases
Published
2024-03-06T10:57:37.872Z
Modified
2024-04-17T07:49:36.668Z
Summary
[none]
Details

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/init.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

References

Affected packages

Bitnami / mlflow

Package

Name
mlflow
Purl
pkg:bitnami/mlflow

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0