CVE-2023-6753
Prototype Pollution vulnerability in mlflow (PyPI)
What is CVE-2023-6753 About?
This vulnerability in `mysql2` versions before 3.9.8 is due to Prototype Pollution, occurring from improper user input sanitization when using `nestTables` with `fields` and `tables`. This can allow attackers to inject properties into JavaScript object prototypes, potentially leading to denial of service or arbitrary code execution. It is relatively easy to exploit with crafted input.
Affected Software
- mlflow
- <1c6309f884798fbf56017a3cc808016869ee8de4
- <2.9.2
Technical Details
The mysql2 package, specifically in versions prior to 3.9.8, is vulnerable to Prototype Pollution. This occurs when an attacker manipulates user-controlled input (related to fields and tables parameters when nestTables is enabled) in a way that allows them to inject arbitrary properties into the Object.prototype. Because JavaScript objects inherit properties from their prototype chain, injecting properties into Object.prototype makes those properties available to all objects in the application. This can lead to various security issues, such as denial of service (e.g., by crashing the application or altering critical application logic) or, in certain contexts, even remote code execution if sensitive functions or properties are overwritten or manipulated.
What is the Impact of CVE-2023-6753?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, unexpected application behavior, or potentially arbitrary code execution by corrupting the application's runtime environment.
What is the Exploitability of CVE-2023-6753?
Exploitation complexity is moderate, requiring an understanding of JavaScript's prototype chain and how the mysql2 library processes query results with nestTables. It is typically a remote vulnerability. Authentication might be required if the vulnerable mysql2 query execution path is only accessible to authenticated users; however, unauthenticated access is also possible if the application exposed a vulnerable endpoint. No special privileges are required on the server itself, as the exploitation targets the application's JavaScript runtime. The main prerequisite is the ability to craft malicious input that influences the fields or tables parameters in conjunction with nestTables. Risk factors include using the vulnerable versions of mysql2 in applications that process untrusted external input into database queries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-6753?
Available Upgrade Options
- mlflow
- <2.9.2 → Upgrade to 2.9.2
- mlflow
- <1c6309f884798fbf56017a3cc808016869ee8de4 → Upgrade to 1c6309f884798fbf56017a3cc808016869ee8de4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-309.yaml
- https://osv.dev/vulnerability/PYSEC-2023-309
- https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4
- https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4
- https://nvd.nist.gov/vuln/detail/CVE-2023-6753
- https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4
- https://github.com/mlflow/mlflow
- https://osv.dev/vulnerability/GHSA-v945-r3rc-6fjm
- https://huntr.com/bounties/b397b83a-527a-47e7-b912-a12a17a6cfb4
- https://github.com/mlflow/mlflow/commit/1c6309f884798fbf56017a3cc808016869ee8de4
What are Similar Vulnerabilities to CVE-2023-6753?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-8200 , CVE-2019-11358 , CVE-2019-10744 , CVE-2018-3721
