Description

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

INFO

Published Date :

2024-06-06T18:29:54.973Z

Last Modified :

2024-08-01T19:32:42.225Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-2928 vulnerability.

Vendors Products
Lfprojects
  • Mlflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-2928.

URL Resource
https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07 cve-icon cve-icon cve-icon
https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact