CVE-2024-2928

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 19:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-2928

Mitre link : CVE-2024-2928

CVE.ORG link : CVE-2024-2928

JSON object : View

Products Affected

No product.

CWE

CWE-29

Path Traversal: '\..\filename'

{"id": "CVE-2024-2928", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-06-06T19:15:55.680", "references": [{"url": "https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-29"}]}], "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en mlflow/mlflow, espec\u00edficamente en la versi\u00f3n 2.9.2, que se solucion\u00f3 en la versi\u00f3n 2.11.3. Esta vulnerabilidad surge de la falla de la aplicaci\u00f3n al validar adecuadamente los fragmentos de URI para secuencias de directory traversal como '../'. Un atacante puede aprovechar esta falla manipulando la parte del fragmento del URI para leer archivos arbitrarios en el sistema de archivos local, incluidos archivos confidenciales como '/etc/passwd'. La vulnerabilidad es una omisi\u00f3n de un parche anterior que solo abordaba una manipulaci\u00f3n similar dentro de la cadena de consulta del URI, destacando la necesidad de una validaci\u00f3n integral de todas las partes de un URI para prevenir ataques LFI."}], "lastModified": "2024-06-07T14:56:05.647", "sourceIdentifier": "security@huntr.dev"}