CVE-2023-4033
- Source
- https://cve.org/CVERecord?id=CVE-2023-4033
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-4033.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-4033
- Aliases
- Published
- 2023-08-01T00:00:20.302Z
- Modified
- 2026-04-02T09:18:52.792816Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- OS Command Injection in mlflow/mlflow
- Details
-
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
- Database specific
{ "cwe_ids": [ "CWE-78" ], "cna_assigner": "@huntrdev", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/4xxx/CVE-2023-4033.json" }- References
Affected packages
Git / github.com/mlflow/mlflow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mlflow/mlflow
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0
1.4.0+criteo.1573575590
1.4.0+criteo.1573828370
1.4.0+criteo.1574078003
1.4.0+criteo.1574177271
1.4.0+criteo.1574253689
1.4.0+criteo.1574339003
1.4.0+criteo.1574428473
1.4.0+criteo.1574687416
1.4.0+criteo.1574945976
1.4.0+criteo.1575552470
1.4.0+criteo.1575908546
1.4.0+criteo.1575984945
1.4.0+criteo.1576154761
1.4.0+criteo.1576588339
1.4.0+criteo.1576594599
1.4.0+criteo.1576835219
1.5.0+criteo.1577105020
1.5.0+criteo.1577454040
1.5.0+criteo.1577960544
1.5.0+criteo.1578400847
1.5.0+criteo.1578481563
1.5.0+criteo.1578667815
1.5.1+criteo.1579106976
1.5.1+criteo.1579186580
1.5.1+criteo.1580123040
1.5.1+criteo.1580140884
1.5.1.dev0+criteo.1578998608
1.6.0+criteo.1580724964
1.6.1.dev0+criteo.1580735356
42.*
42.0+criteo.1580736277
42.0+criteo.1580821686
42.0+criteo.1580917161
42.0+criteo.1580989984
42.0+criteo.1581092106
42.0+criteo.1581341516
42.0+criteo.1581516212
42.0+criteo.1581596667
42.0+criteo.1581945227
42.0+criteo.1582288688
42.0+criteo.1582638274
42.0+criteo.1582736426
42.0+criteo.1583162775
42.0+criteo.1583312276
42.0+criteo.1583416453
42.0+criteo.1583490839
42.0+criteo.1583943224
Other
list
nightly
v0.*
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.7
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
v1.*
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.20.0
v1.20.1
v1.20.2
v1.21.0
v1.22.0
v1.23.0
v1.23.1
v1.24.0
v1.25.0
v1.25.1
v1.26.0
v1.26.1
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.30.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0rc0
v2.0.1
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.10.2
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.12.1
v2.12.2
v2.13.0
v2.13.1
v2.13.2
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.15.0
v2.15.0rc0
v2.15.1
v2.16.0
v2.16.1
v2.16.2
v2.17.0
v2.17.0rc0
v2.17.1
v2.17.2
v2.18.0
v2.18.0rc0
v2.19.0
v2.19.0rc0
v2.2.0
v2.2.1
v2.2.2
v2.20.0
v2.20.0rc0
v2.20.1
v2.20.2
v2.20.3
v2.20.4
v2.21.0
v2.21.0rc0
v2.21.1
v2.21.2
v2.21.3
v2.22.0
v2.22.0rc0
v2.22.1
v2.22.2
v2.22.3
v2.22.4
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.9.0
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0rc0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.1.0
v3.1.0rc0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.10.0
v3.10.0rc0
v3.10.1
v3.11.0rc0
v3.11.0rc1
v3.2.0
v3.2.0rc0
v3.3.0
v3.3.0rc0
v3.3.1
v3.3.2
v3.4.0
v3.4.0rc0
v3.5.0
v3.5.0rc0
v3.5.1
v3.6.0
v3.6.0rc0
v3.7.0
v3.7.0rc0
v3.8.0
v3.8.0rc0
v3.8.1
v3.9.0
v3.9.0rc0
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"158201933246649050684175669332133033066",
"190625738861903660691580362111625652695",
"172096855605516421170840787354612637127",
"104809843383114629816838069152060907540"
],
"threshold": 0.9
},
"id": "CVE-2023-4033-05fc0e65",
"source": "https://github.com/mlflow/mlflow/commit/693b694036bac735dae810eaad9622c519550751",
"signature_type": "Line",
"target": {
"file": "mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"line_hashes": [
"16274644192192082878259755174561049540",
"143877553319587094893362891285023289246",
"226220528622614689734168929956988190803",
"167861059151198616996901880751026931574"
],
"threshold": 0.9
},
"id": "CVE-2023-4033-23b74466",
"source": "https://github.com/mlflow/mlflow/commit/693b694036bac735dae810eaad9622c519550751",
"signature_type": "Line",
"target": {
"file": "mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 197.0,
"function_hash": "203326831794420579606451987216225379673"
},
"id": "CVE-2023-4033-57b517c1",
"source": "https://github.com/mlflow/mlflow/commit/693b694036bac735dae810eaad9622c519550751",
"signature_type": "Function",
"target": {
"file": "mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java",
"function": "doGet"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 491.0,
"function_hash": "267333881600464447824922367259571276934"
},
"id": "CVE-2023-4033-70964eaa",
"source": "https://github.com/mlflow/mlflow/commit/693b694036bac735dae810eaad9622c519550751",
"signature_type": "Function",
"target": {
"file": "mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java",
"function": "testScoringServerWithValidPredictorRespondsToVersionCorrectly"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-4033.json"