High

mlflow

Path Traversal via Model Version Source

A path traversal vulnerability was identified in MLflow version 2.9.2, allowing attackers to read arbitrary files on the server. The issue resides in the `_create_model_version()` function, which improperly validates the `source` parameter. This vulnerability was patched in a version following 2.9.2.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1558

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure MLflow is updated to a version where this vulnerability is patched.
  • Review and apply security patches regularly to mitigate potential vulnerabilities.
  • Validate all input parameters, including URIs, on the server side to prevent similar vulnerabilities.
  • Employ additional security measures such as web application firewalls (WAFs) to detect and block malicious requests.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.