Path traversal vulnerability in mlflow repository
CVE-2024-1594

7.5HIGH

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 16 April 2024

Summary

A path traversal vulnerability has been identified in the mlflow platform, specifically affecting the handling of the artifact_location parameter during the creation of experiments. This weakness allows attackers to craft a malicious URI that includes a fragment component, enabling them to access arbitrary files on the server running the affected version of mlflow. By exploiting this flaw, an attacker can read sensitive information, putting server integrity and data confidentiality at significant risk. This vulnerability exhibits similar characteristics to other previously identified issues but utilizes a different approach in URI manipulation. Ensuring robust input validation and sanitization mechanisms is essential to mitigate the potential exploitation of this type of vulnerability.

Affected Version(s)

mlflow/mlflow <= unspecified

References

https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Feb 16, 2024