BIT-MLFLOW-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

Relative Path Traversal

mlflow is vulnerable to Relative Path Traversal. The vulnerability is due to improper URL handling due to the dbfs service concatenating URLs directly into the file protocol, allowing arbitrary file reads when the service is mounted to a local directory...

CVE-2024-8859

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

GHSA-4RQF-8PFM-P36R MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859

Mlflow/mlflow 2.15.1 contains a path traversal/local file read vulnerability when using the dbfs service: the URL is interpolated into the file protocol with only the path portion validated, enabling reading arbitrary server files when dbfs is mounted locally. Public sources (Nuclei template, OSV...

PT-2025-12247 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.15.1 Description: A path traversal issue exists when users configure and use the dbfs service. The vulnerability arises from directly concatenating the URL into the file protocol, resulting in an arbitrary file read...