MLflow < 2.11.3 - Path Traversal

MLflow versions prior to 2.11.3 are vulnerable to a Path Traversal attack due to improper URI fragment parsing. This vulnerability allows attackers to read arbitrary files on the server, potentially exposing sensitive information. id: CVE-2024-2928 info: name: MLflow 2.11.3 - Path Traversal autho...

CVE-2024-2928

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...

Exploit for Path Traversal in Lfprojects Mlflow

CVE-2024-2928 Arbitrary file read exploit for CVE-2024-2928 in...

CVE-2024-2928

creationtimestamp| type| source ---|---|--- 2024-09-11 17:21:42+00:00| published-proof-of-concept| https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflowcve20242928 2024-11-08 03:57:04+00:00| published-proof-of-concept| https://t.me/GithubRedTeam/8970...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +159 more potentially affected by CVE-2024-2928 via mlflow (>=0.8.2 <=2.11.1)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2024-2928 Source advisory: OSV:GHSA-J46Q-5PXX-8VMW...

CVE-2024-2928 Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...