High

mlflow

Path Traversal via Local URI Fragment

A path traversal vulnerability was identified in MLflow version 2.9.2, allowing attackers to exploit the system by using a local URI fragment with '#' instead of '?'. This vulnerability mirrors a previously reported issue but utilizes a different vector. The affected version is 2.9.2, and details on the patch are not provided in the report.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1483

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

haxatron
AssessDetect

Premium

Remediate
Remediation Steps
  • Update MLflow to the latest version or apply the patch provided by the maintainers.
  • Validate and sanitize all user inputs, especially those involving file paths or URIs, to prevent path traversal attacks.
  • Employ a web application firewall (WAF) that can detect and block malicious requests exploiting path traversal vulnerabilities.
  • Regularly audit and review code handling file operations and user inputs for potential security issues.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.