CVE-2023-6975: 
NixOS vulnerability analysis and mitigation

CVE-2023-6975 is a critical security vulnerability discovered in MLFlow versions up to (excluding) 2.9.2. The vulnerability was disclosed on December 20, 2023, and allows a malicious user to gain command execution on the vulnerable machine and access data & models information (NVD, SecurityWeek).

The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (NVD).

The successful exploitation of this vulnerability allows attackers to execute commands on the vulnerable system and gain access to sensitive data and model information. This poses a significant risk to organizations using MLFlow, as it could lead to unauthorized access to machine learning models and associated data (NVD).

The vulnerability has been patched in MLFlow version 2.9.2. Organizations using affected versions should upgrade to the patched version immediately. A fix has been implemented that applies os.path.basename before checking for '.' or '..' in the FTPArtifactRepository (GitHub Patch).

The vulnerability was discovered through Protect AI's bug bounty program called huntr, which has become a significant platform for identifying security issues in AI/ML tools. This discovery is part of a larger set of vulnerabilities found in the AI development supply chain, highlighting the growing concern around security in AI/ML tools (SecurityWeek).