High

mlflow

Path Traversal Vulnerability in Artifact Deletion Process

A path traversal vulnerability was identified in mlflow version 2.9.2, allowing attackers to delete arbitrary directories by bypassing URL encoding checks. The vulnerability, tracked as CVE-2023-6831, was patched in a subsequent release after 2.9.2.

Available publicly on Apr 16 2024

8.1

CVE:

CVE-2024-1560

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Credit:

ozelis
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure your mlflow/mlflow installation is updated to the latest version beyond 2.9.2.
  • Review and apply the patch suggested in the vulnerability report, which involves removing redundant calls to local_file_uri_to_path() in the delete_artifacts() function of local_artifact_repo.py.
  • Consider implementing additional input validation and sanitization measures to prevent similar vulnerabilities.
  • Regularly audit and monitor access logs for suspicious activity related to the artifact deletion functionality.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.