Home » Database

AVID-2026-R1327

Description

Reflected XSS via Content-Type Header in mlflow/mlflow (CVE-2023-6568)

Details

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim’s browser. The vulnerability is present in the mlflow/server/auth/init.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

Reason for inclusion in AVID: CVE-2023-6568 is a reflected XSS vulnerability in mlflow/mlflow, a component commonly used in ML pipelines and AI lifecycle tooling. It affects software used to build/deploy/run AI systems, representing a security vulnerability in the AI software supply chain. The report provides concrete details and references.

References

Affected or Relevant Artifacts

  • Developer: mlflow
  • Deployer: mlflow
  • Artifact Details:
TypeName
Systemmlflow/mlflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score6.5
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity ImpactNONE
Availability ImpactNONE

CWE

IDDescription
CWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2023-12-07
  • Version: 0.3.3
  • AVID Entry