Description

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

INFO

Published Date :

2024-04-16T00:00:14.753Z

Last Modified :

2024-08-01T20:12:07.901Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-3573 vulnerability.

Vendors Products
Lfprojects
  • Mlflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-3573.

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact