CVE-2023-6974: 
NixOS vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in MLflow versions prior to 2.9.2 (CVE-2023-6974). The vulnerability allows a malicious user to access internal HTTP(s) servers and potentially achieve remote code execution on victim machines, particularly in AWS instances. The issue was disclosed on December 20, 2023, and affects all MLflow versions up to (excluding) 2.9.2 (NVD, MITRE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as a CWE-918 (Server-Side Request Forgery) vulnerability. The issue allows attackers to make unauthorized requests to internal services through the MLflow application (NVD).

The vulnerability can be exploited to access internal HTTP(s) servers that should not be accessible from external networks. In the most severe scenario, particularly in AWS environments, it could lead to remote code execution on the victim machine. This poses a significant risk to organizations using affected MLflow versions, especially in cloud environments (NVD).

The vulnerability has been patched in MLflow version 2.9.2. Organizations should upgrade to this version or later to mitigate the risk. The fix was implemented through a commit that adds environment variables to disable redirects (GitHub).