High

mlflow

Path Traversal via Fragment Component in Artifact Location

A vulnerability in mlflow version 2.9.2 allows attackers to read arbitrary files through path traversal using the fragment component in the `artifact_location` field when creating an experiment. This issue, similar to CVE-2023-6909 but exploiting the fragment component, was patched in the version following 2.9.2.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1594

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
AssessDetect

Premium

Remediate
Remediation Steps
  • Update MLflow to the latest version immediately to mitigate this vulnerability.
  • Review and sanitize all input fields that accept URIs to ensure they do not allow path traversal sequences.
  • Consider implementing additional access controls or validation mechanisms to restrict the ability of untrusted users to create or modify experiments and models.
  • Regularly audit your MLflow deployment for unexpected or malicious activity.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.