{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46554?format=json","vulnerability_id":"VCID-c7tc-cv45-d7c2","summary":"Information exposure in MLflow\nAn issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.","aliases":[{"alias":"CVE-2023-43472"},{"alias":"GHSA-wqxf-447m-6f5f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38207?format=json","purl":"pkg:pypi/mlflow@2.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7m3u-tyeh-rqgz"},{"vulnerability":"VCID-93v9-5y4m-t7dz"},{"vulnerability":"VCID-cu1t-7wnm-y7hk"},{"vulnerability":"VCID-deyg-v3z9-6fet"},{"vulnerability":"VCID-ep2z-9m6r-6ubu"},{"vulnerability":"VCID-g9p5-4cqv-qfew"},{"vulnerability":"VCID-hz26-bm34-gkfx"},{"vulnerability":"VCID-j3ax-7a88-f7ff"},{"vulnerability":"VCID-jbuf-3rr2-5kcv"},{"vulnerability":"VCID-ns8z-pwe6-vbby"},{"vulnerability":"VCID-pzmb-xzk9-s7dy"},{"vulnerability":"VCID-rcqb-2498-77e2"},{"vulnerability":"VCID-s76e-s9ut-2bdq"},{"vulnerability":"VCID-saca-pg4n-xucu"},{"vulnerability":"VCID-syg7-c85s-4ufu"},{"vulnerability":"VCID-vd8p-48kf-yyg6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@2.9.0"}],"affected_packages":[],"references":[{"reference_url":"https://mlflow.org/news/2023/12/06/2.9.0-release/index.html","reference_id":"","reference_type":"","scores":[],"url":"https://mlflow.org/news/2023/12/06/2.9.0-release/index.html"},{"reference_url":"https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security","reference_id":"","reference_type":"","scores":[],"url":"https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43472","reference_id":"CVE-2023-43472","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43472"},{"reference_url":"https://github.com/advisories/GHSA-wqxf-447m-6f5f","reference_id":"GHSA-wqxf-447m-6f5f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqxf-447m-6f5f"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c7tc-cv45-d7c2"}