mlflow Vulnerable to Local File Inclusion (LFI) Attacks
CVE-2024-3573

9.3CRITICAL

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 16 April 2024

What is CVE-2024-3573?

The vulnerability in mlflow pertains to Local File Inclusion (LFI) that arises from inadequate handling of URI parsing. Specifically, the 'is_local_uri' function fails to accurately assess URIs with empty or 'file' schemes. This oversight allows attackers to exploit the system by crafting malicious model versions that contain specially manipulated 'source' parameters. By doing so, they can bypass local checks and gain unauthorized access to sensitive files located within a two-directory scope from the server's root. Such misclassification of URIs creates significant risks, enabling malicious actors to potentially exfiltrate confidential data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mlflow/mlflow < 2.10.0

References

https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147...

https://github.com/mlflow/mlflow/commit/438a450714a3ca062...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Apr 10, 2024

JSON

Mlflow