OpenCVE

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lfprojects	Mlflow

Configuration 1 [-]

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298

History

Fri, 11 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lfprojects Lfprojects mlflow
Weaknesses		CWE-22
CPEs		cpe:2.3:a:lfprojects:mlflow::::::::
Vendors & Products		Lfprojects Lfprojects mlflow
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:29:54.973Z

Updated: 2024-08-01T19:32:42.225Z

Reserved: 2024-03-26T15:36:14.364Z

Link: CVE-2024-2928

Vulnrichment

Updated: 2024-08-01T19:32:42.225Z

NVD

Status : Modified

Published: 2024-06-06T19:15:55.680

Modified: 2024-11-21T09:10:51.707

Link: CVE-2024-2928

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2928", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-26T15:36:14.364Z", "datePublished": "2024-06-06T18:29:54.973Z", "dateUpdated": "2024-08-01T19:32:42.225Z"}, "containers": {"cna": {"title": "Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:29:54.973Z"}, "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "lessThan": "2.11.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298"}, {"url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-29 Path Traversal: '\\..\\filename'", "cweId": "CWE-29"}]}], "source": {"advisory": "19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "lfprojects", "product": "mlflow", "cpes": ["cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.11.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T19:39:18.635831Z", "id": "CVE-2024-2928", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T17:23:22.838Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.225Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "tags": ["x_transferred"]}, {"url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "tags": ["x_transferred"]}, {"url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.225Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2928", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T19:39:18.635831Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*"], "vendor": "lfprojects", "product": "mlflow", "versions": [{"status": "affected", "version": "0", "lessThan": "2.11.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:39:05.750Z"}}], "cna": {"title": "Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow", "source": {"advisory": "19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.11.3", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298"}, {"url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07"}], "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-29", "description": "CWE-29 Path Traversal: '\\..\\filename'"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:29:54.973Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2928", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:32:42.225Z", "dateReserved": "2024-03-26T15:36:14.364Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:29:54.973Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3A84D8C-5A9A-481D-9EF8-55C0B3A03F4C", "versionEndExcluding": "2.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en mlflow/mlflow, espec\u00edficamente en la versi\u00f3n 2.9.2, que se solucion\u00f3 en la versi\u00f3n 2.11.3. Esta vulnerabilidad surge de la falla de la aplicaci\u00f3n al validar adecuadamente los fragmentos de URI para secuencias de directory traversal como '../'. Un atacante puede aprovechar esta falla manipulando la parte del fragmento del URI para leer archivos arbitrarios en el sistema de archivos local, incluidos archivos confidenciales como '/etc/passwd'. La vulnerabilidad es una omisi\u00f3n de un parche anterior que solo abordaba una manipulaci\u00f3n similar dentro de la cadena de consulta del URI, destacando la necesidad de una validaci\u00f3n integral de todas las partes de un URI para prevenir ataques LFI."}], "id": "CVE-2024-2928", "lastModified": "2024-11-21T09:10:51.707", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:15:55.680", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-29"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}