CVE-2024-3573

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3573

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3573.json

Aliases

GHSA-hq88-wg7q-gp4g

Published

2024-04-16T00:15:12Z

Modified

2024-05-14T13:11:41.757759Z

Summary

[none]

Details

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'islocaluri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

References

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type: GIT
Repo: https://github.com/mlflow/mlflow
Events: Introduced

0The exact introduced commit is unknown

Fixed

438a450714a3ca06285eeea34bdc6cf79d7f6cbc

Affected versions

1.*

1.0.0

v0.*

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.6.0

v0.7

v0.8.0

v0.8.1

v1.*

v1.7.0

v2.*

v2.2.0