Sightline

High

mlflow

LFI Vulnerability via URI Fragment

A Local File Read (LFI) vulnerability was discovered in MLflow version 2.9.2, allowing attackers to read arbitrary files on the server by exploiting the fragment part of the URI. This vulnerability was patched in version 2.11.3.

Available publicly on Apr 23 2024 | Available with Premium on Mar 26 2024

CVE:

CVE-2024-2928

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

zpbrent

Assess Detect

Premium

Remediate

Remediation Steps

Update MLflow to version 2.11.3 or later.
Review and apply strict input validation on all parts of URLs processed by the server, including the fragment part.
Regularly audit and monitor server logs for suspicious activities that may indicate attempted exploitation of this vulnerability.
Consider implementing additional security controls such as file system access restrictions for the user under which the MLflow server runs.

Patch Details

Fixed Version: 2.11.3
Patch Commit: https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 452- related security advisories that are available with Sightline Premium.