mlflow Vulnerable to Local File Inclusion (LFI) Attacks
CVE-2024-3573

9.3CRITICAL

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 16 April 2024

Summary

The vulnerability in mlflow pertains to Local File Inclusion (LFI) that arises from inadequate handling of URI parsing. Specifically, the 'is_local_uri' function fails to accurately assess URIs with empty or 'file' schemes. This oversight allows attackers to exploit the system by crafting malicious model versions that contain specially manipulated 'source' parameters. By doing so, they can bypass local checks and gain unauthorized access to sensitive files located within a two-directory scope from the server's root. Such misclassification of URIs creates significant risks, enabling malicious actors to potentially exfiltrate confidential data.

Affected Version(s)

mlflow/mlflow < 2.10.0

References

https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147...

https://github.com/mlflow/mlflow/commit/438a450714a3ca062...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Apr 10, 2024