CVE-2024-1558 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in the createmodelversion function within server/handlers.py of the mlflow/mlflow repository, due to improper validation of the source parameter. Attackers can exploit this vulnerability by crafting a source parameter that bypasses the...

CVE-2024-1594 Local File Read via Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the artifactlocation parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component in the artifact location URI to read arbitrary files on the...

CVE-2024-3573 Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow

mlflow/mlflow is vulnerable to Local File Inclusion LFI due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'islocaluri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the...

CVE-2024-1593 Path Traversal via Parameter Smuggling in mlflow/mlflow

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...

CVE-2024-1558 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in the createmodelversion function within server/handlers.py of the mlflow/mlflow repository, due to improper validation of the source parameter. Attackers can exploit this vulnerability by crafting a source parameter that bypasses the...

CVE-2024-3573

The CVE-2024-3573 entry concerns mlflow/mlflow with a Local File Inclusion (LFI) caused by improper parsing of URIs in the is_local_uri logic. The issue misclassifies URIs with empty or file schemes as non-local, enabling an attacker to craft malicious model versions (source parameter) that bypas...

CVE-2024-1593

This CVE describes a path traversal vulnerability in the mlflow/mlflow repository caused by improper handling of URL parameters. Attackers can smuggle path traversal sequences using the ';' character in URLs to manipulate the 'params' portion and access unauthorized files or directories. The repo...

CVE-2024-1594

CVE-2024-1594 is a path traversal vulnerability in mlflow/mlflow related to handling of artifact_location when creating an experiment. The connected OSV entry states that a fragment component # in the artifact URL can be used to bypass validation and allow reading arbitrary files on the server wi...

CVE-2024-1483

Summary: CVE-2024-1483 is a path traversal vulnerability in mlflow/mlflow 2.9.2 that allows an attacker to access arbitrary server files. The issue stems from insufficient validation of user-supplied input in server handlers, enabling traversal via crafted HTTP POST requests using crafted artifac...

CVE-2024-1483 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifactlocation' and 'source' parameters, using a local URI with '' instead of '?', an attacker can...

CVE-2024-1483 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifactlocation' and 'source' parameters, using a local URI with '' instead of '?', an attacker can...

CVE-2024-1560 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the deleteartifactmlflowartifacts handler and localfileuritopath function, allowing for...

CVE-2024-1560

CVE-2024-1560 affects mlflow/mlflow prior to 2.9.2, in the artifact deletion path. A double decoding flaw in _delete_artifact_mlflow_artifacts and local_file_uri_to_path, via an extra unquote in delete_artifacts, allows path traversal and deletion of arbitrary server directories. Impact: high, wi...

CVE-2024-1560 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the deleteartifactmlflowartifacts handler and localfileuritopath function, allowing for...

Mlflow 安全漏洞

Mlflow is an open source platform for machine learning lifecycles. A security vulnerability exists in Mlflow that stems from the islocaluri function failing to properly handle URIs that contain null or file schemes, resulting in URIs being incorrectly categorized as non-local, which can be...

Mlflow 路径遍历漏洞

Mlflow is an open source platform for the machine learning lifecycle. Mlflow suffers from a path traversal vulnerability that stems from improper handling of URL parameters. An attacker can use this vulnerability to gain access to a file or directory...

Mlflow 路径遍历漏洞

Mlflow is an open source platform for machine learning lifecycles. A path traversal vulnerability exists in Mlflow due to improper validation of the "source" parameter. An attacker can use this vulnerability to read and access arbitrary files on the server...

PT-2024-26681 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow affected versions not specified Description: The issue arises from the is local uri function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can...

Mlflow 路径遍历漏洞

Mlflow is an open source platform for machine learning lifecycles. A path traversal vulnerability exists in Mlflow version 2.9.2, which can be exploited by an attacker to read arbitrary files in the context of a server process...

PT-2024-18084 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.9.2 Description: A path traversal vulnerability exists, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted artifact location and source...