Path Traversal Vulnerability in mlflow Allowing Arbitrary File Read
CVE-2024-3848

7.5HIGH

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 16 May 2024

Summary

A significant path traversal vulnerability has been identified in mlflow/mlflow version 2.11.0, recognized as a bypass for the previously addressed issue in CVE-2023-6909. The flaw is rooted in the handling of artifact URLs, particularly the improper validation of the fragment component. By exploiting this vulnerability, an attacker can embed a '#' character in the URL, allowing them to manipulate the protocol scheme and gain unauthorized access to the filesystem. This manipulation can lead to the unauthorized reading of arbitrary files containing sensitive information, such as SSH keys and cloud credentials. The vulnerability highlights critical gaps in the validation process of the fragment portion of the URL, facilitating dangerous path traversal attacks.

Affected Version(s)

mlflow/mlflow < 2.12.1

References

https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da36...

https://github.com/mlflow/mlflow/commit/f8d51e21523238280...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 15, 2024