Path Traversal Vulnerability in Artifact Deletion Process
A path traversal vulnerability was identified in mlflow version 2.9.2, allowing attackers to delete arbitrary directories by bypassing URL encoding checks. The vulnerability, tracked as CVE-2023-6831, was patched in a subsequent release after 2.9.2.
Available publicly on Apr 16 2024
Remediation Steps
- Ensure your mlflow/mlflow installation is updated to the latest version beyond 2.9.2.
- Review and apply the patch suggested in the vulnerability report, which involves removing redundant calls to
local_file_uri_to_path()
in thedelete_artifacts()
function oflocal_artifact_repo.py
. - Consider implementing additional input validation and sanitization measures to prevent similar vulnerabilities.
- Regularly audit and monitor access logs for suspicious activity related to the artifact deletion functionality.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.