A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.
Metrics
Affected Vendors & Products
References
History
Fri, 11 Oct 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lfprojects
Lfprojects mlflow |
|
Weaknesses | CWE-22 | |
CPEs | cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* | |
Vendors & Products |
Lfprojects
Lfprojects mlflow |
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T18:29:54.973Z
Updated: 2024-08-01T19:32:42.225Z
Reserved: 2024-03-26T15:36:14.364Z
Link: CVE-2024-2928
Vulnrichment
Updated: 2024-08-01T19:32:42.225Z
NVD
Status : Modified
Published: 2024-06-06T19:15:55.680
Modified: 2024-11-21T09:10:51.707
Link: CVE-2024-2928
Redhat
No data.