CVE-2024-1594

Опубликовано: 16 апр. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the artifact_location parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component # in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.

Ссылки

https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d396f3e
Exploit
Issue Tracking
Third Party Advisory
https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d396f3e
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*

Версия до 2.11.3 (исключая)

EPSS

Процентиль: 58%

0.00364

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-m49c-5c52-6696

CVSS3: 7.5

github

почти 2 года назад

mlflow vulnerable to Path Traversal

EPSS

Процентиль: 58%

0.00364

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-22