Mlflow
CVE-2024-3848
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 10 pypi packages depend on mlflow (10 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.9.2.
DescriptionNVD
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.
AnalysisAI
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-29. A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. Affected products include: Lfprojects Mlflow. Version information: version 2.11.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. Rated critical severity (CVSS 10.0), this vul
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it cou
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. Rated critical s
An attacker can overwrite any file on the server hosting MLflow without any authentication. Rated critical severity (CVS
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. Rated critical severity (CVSS 9.8), th
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. Rated critical severity (CVSS 9.8), th
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. Rated critical se
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. Rated critical severity (CVSS 9.6), t
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of specia
Same weakness CWE-29 – Path Traversal: '\\..\\filename'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today