Lucene search

Veracode Vulnerability DatabaseVERACODE:46482

HistoryApr 17, 2024 - 9:17 a.m.

Local File Inclusion (LFI)

2024-04-1709:17:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mlflow

vulnerability

local file inclusion

uri parsing

arbitrary files

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

mlflow is vulnerable to Local File Inclusion (LFI). The vulnerability is due to improper parsing of URIs within the function is_local_uri in uri.py, which allows an attackers to read arbitrary files on the system.

CPENameOperatorVersion
mlflowle2.9.2
mlflowle2.9.2

CPE	Name	Operator	Version
	mlflow	le	2.9.2
	mlflow	le	2.9.2

References

github.com/advisories/GHSA-hq88-wg7q-gp4g

github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc

huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:46482