SCA: security update for mlflow (GHSA-vwhf-3v6x-wff8)

medium Tenable Cloud Security Plugin ID 419578

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically
within the handling of the Content-Type header in POST requests. An attacker can inject malicious
JavaScript code into the Content-Type header, which is then improperly reflected back to the user without
adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the
victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-
supplied Content-Type header is directly injected into a Python formatted string and returned to the user,
facilitating the XSS attack. (CVE-2023-6568)

See Also

https://github.com/advisories/GHSA-vwhf-3v6x-wff8

Plugin Details

Severity: Medium

ID: 419578

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-6568

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/7/2023

Vulnerability Publication Date: 12/7/2023

Reference Information

CVE: CVE-2023-6568

cwe: CWE-79