CVE-2023-6568: 
NixOS vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-6568) was discovered in the mlflow/mlflow repository prior to version 2.9.0. The vulnerability exists specifically within the handling of the Content-Type header in POST requests, where user-supplied input in the Content-Type header is improperly reflected back without adequate sanitization (NVD).

The vulnerability is present in the mlflow/server/auth/init.py file, where the Content-Type header from POST requests is directly injected into a Python formatted string and returned to the user without proper sanitization or escaping. This allows an attacker to inject malicious JavaScript code that gets executed in the context of the victim's browser. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to various attacks including theft of sensitive information, session hijacking, or manipulation of the web interface content (NVD).

The vulnerability has been fixed in MLflow version 2.9.0. Users are advised to upgrade to this version or later. The fix includes proper validation of the Content-Type header to prevent XSS attacks (GitHub Patch).