Remote Code Execution Vulnerability in mlflow/mlflow version 8.2.1
CVE-2024-0520

8.8HIGH

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 6 June 2024

Summary

A vulnerability identified in MLflow version 8.2.1 exposes the application to potential remote code execution due to inadequate sanitization of file paths derived from HTTP headers. The flaw resides within the mlflow.data.http_dataset_source.py module, where user-controlled input from the Content-Disposition header or URL path may be mishandled. Through path traversal techniques, an attacker can manipulate the file path to perform arbitrary file write operations. This could result in command execution on the server, leading to unauthorized access to sensitive data and machine learning models. Users are strongly advised to upgrade to version 2.9.0 or later to mitigate this vulnerability.

Affected Version(s)

mlflow/mlflow < 2.9.0

References

https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2...

https://github.com/mlflow/mlflow/commit/400c226953b4568f4...

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Jan 14, 2024