Path Traversal via URL Parameter Smuggling
A path traversal vulnerability was identified in MLflow version 2.9.2, exploiting the handling of URL parameters to smuggle path traversal sequences. This vulnerability allows attackers to manipulate the 'params' part of a URL, potentially leading to unauthorized access or disclosure of sensitive information. The issue was not explicitly stated as patched in the provided report.
Available publicly on Apr 16 2024
Remediation Steps
- Update MLflow to the latest version or apply the patch provided by the maintainers.
- Validate and sanitize all input fields rigorously to prevent path traversal attacks.
- Employ a web application firewall (WAF) that can detect and block exploitation attempts.
- Limit API access to trusted networks and users.
- Regularly audit and monitor API usage for suspicious activities.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.