High

mlflow

Path Traversal via URL Parameter Smuggling

A path traversal vulnerability was identified in MLflow version 2.9.2, exploiting the handling of URL parameters to smuggle path traversal sequences. This vulnerability allows attackers to manipulate the 'params' part of a URL, potentially leading to unauthorized access or disclosure of sensitive information. The issue was not explicitly stated as patched in the provided report.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1593

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

haxatron
AssessDetect

Premium

Remediate
Remediation Steps
  • Update MLflow to the latest version or apply the patch provided by the maintainers.
  • Validate and sanitize all input fields rigorously to prevent path traversal attacks.
  • Employ a web application firewall (WAF) that can detect and block exploitation attempts.
  • Limit API access to trusted networks and users.
  • Regularly audit and monitor API usage for suspicious activities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.