Remote Code Execution Vulnerability in mlflow/mlflow version 8.2.1
CVE-2024-0520

8.8HIGH

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-0520?

A vulnerability identified in MLflow version 8.2.1 exposes the application to potential remote code execution due to inadequate sanitization of file paths derived from HTTP headers. The flaw resides within the mlflow.data.http_dataset_source.py module, where user-controlled input from the Content-Disposition header or URL path may be mishandled. Through path traversal techniques, an attacker can manipulate the file path to perform arbitrary file write operations. This could result in command execution on the server, leading to unauthorized access to sensitive data and machine learning models. Users are strongly advised to upgrade to version 2.9.0 or later to mitigate this vulnerability.

Affected Version(s)

mlflow/mlflow < 2.9.0

References

https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2...

https://github.com/mlflow/mlflow/commit/400c226953b4568f4...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Jan 14, 2024

Mlflow

What is CVE-2024-0520?

Affected Version(s)

References

CVSS V3.1

Timeline