CVE-2023-6831: 
NixOS vulnerability analysis and mitigation

CVE-2023-6831 is a path traversal vulnerability discovered in MLflow, an open-source platform for managing the machine learning lifecycle, affecting versions prior to 2.9.2. The vulnerability was identified in the artifact deletion functionality of the MLflow repository (SecurityWeek, NVD).

The vulnerability is classified as a path traversal issue of type '..\filename'. It received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The flaw exists in the deletion of artifacts operation, where path validation can be bypassed through the double decoding process in the _delete_artifact_mlflow_artifacts handler and local_file_uri_to_path function (NVD).

When exploited, this vulnerability allows attackers to delete arbitrary directories on the server's filesystem, potentially leading to data loss and system disruption. The high CVSS score reflects the significant potential impact on system integrity and availability (NVD).

The vulnerability has been patched in MLflow version 2.9.2. Users are advised to upgrade to this version or later to mitigate the risk. The fix includes improved validation of user-supplied paths and proper handling of URL encoding (Github Patch).

The vulnerability was discovered through the Huntr bug bounty platform, which focuses on AI/ML security. It was one of several critical vulnerabilities found in popular open-source AI/ML platforms, highlighting the growing importance of security in machine learning infrastructure (SecurityWeek).