High Severity

mlflow

Path Traversal Bypass in Artifact Retrieval

A vulnerability in mlflow version 2.11.0 allows for path traversal due to improper validation of artifact URLs. By appending a '#' to the URL, attackers can bypass security checks and read arbitrary files. This issue was patched in version 2.12.1.

Available publicly on Apr 26 2024

7.5

CVE:

CVE-2024-3848

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

asimovl
AssessDetect

Available

Remediate
Remediation Steps
  • Update to mlflow version 2.12.1 or later.
  • Review and sanitize all user inputs, especially those that influence filesystem paths or URLs.
  • Implement additional server-side validation to ensure that URLs and paths do not contain unexpected characters or sequences that could lead to security vulnerabilities.
  • Regularly audit and monitor your application for unusual activity that could indicate an attempt to exploit this or similar vulnerabilities.
Patch Details
  • Fixed Version: 2.12.1
  • Patch Commit: https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon