CVE-2023-1176: 
Python vulnerability analysis and mitigation

An Absolute Path Traversal vulnerability was identified in MLflow (GitHub repository mlflow/mlflow) versions prior to 2.2.2. The vulnerability, tracked as CVE-2023-1176, was discovered and disclosed in March 2023, affecting users running the MLflow Model Registry with mlflow server or mlflow ui commands. The vulnerability has a CVSS score of 5.3, indicating moderate severity (SecurityOnline).

The vulnerability allows attackers to check the existence of arbitrary files on the host server, including files stored in remote locations that are unrelated to MLflow, provided the server has access to them. The issue stems from improper validation of registered model names containing path separators, which could lead to path traversal attacks (GitHub Commit).

The vulnerability enables attackers to verify the existence of arbitrary files on the host server, potentially exposing sensitive information about the system's file structure. This could be used as a reconnaissance tool for further attacks. Notably, while the open-source MLflow project is affected, the Databricks Managed MLflow product and MLflow on Azure Machine Learning remain unaffected (SecurityOnline).

Users are advised to upgrade to MLflow version 2.2.1 or later to address this vulnerability. For those unable to upgrade immediately, recommended workarounds include implementing a cloud VPC, setting up IP allowlists for inbound requests, using authentication/authorization middleware, and restricting the scope of server's cloud credentials to access only MLflow-related files and directories (SecurityOnline).