Remote Code Execution Vulnerability in mlflow/mlflow version 8.2.1
CVE-2024-0520

8.8HIGH

Key Information:

Vendor

Mlflow

Status
Mlflow/mlflow
Vendor
CVE Published:
6 June 2024

What is CVE-2024-0520?

A vulnerability identified in MLflow version 8.2.1 exposes the application to potential remote code execution due to inadequate sanitization of file paths derived from HTTP headers. The flaw resides within the mlflow.data.http_dataset_source.py module, where user-controlled input from the Content-Disposition header or URL path may be mishandled. Through path traversal techniques, an attacker can manipulate the file path to perform arbitrary file write operations. This could result in command execution on the server, leading to unauthorized access to sensitive data and machine learning models. Users are strongly advised to upgrade to version 2.9.0 or later to mitigate this vulnerability.

Affected Version(s)

mlflow/mlflow < 2.9.0

References

https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2...
https://github.com/mlflow/mlflow/commit/400c226953b4568f4...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.