Back to KEVs

CVE-2023-1177

Path Traversal: '\..\filename' in mlflow/mlflow

Basic Information

CVE State
PUBLISHED
Reserved Date
March 04, 2023
Published Date
March 24, 2023
Last Updated
February 19, 2025
Vendor
mlflow
Product
mlflow/mlflow
Description
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

9.3 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score

Score
93.24% (Percentile: 99.79%) as of 2025-07-29

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-07-07 00:00:00 UTC) Source

References

https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28 https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-08 12:00:35 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-1177.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel