CVE-2024-1483 - Vulnerability Details - OpenCVE

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lfprojects	Mlflow

Configuration 1 [-]

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d

History

Mon, 03 Feb 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lfprojects Lfprojects mlflow
CPEs		cpe:2.3:a:lfprojects:mlflow::::::::
Vendors & Products		Lfprojects Lfprojects mlflow
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-16T00:00:14.064Z

Updated: 2024-08-01T18:40:21.239Z

Reserved: 2024-02-13T20:33:54.093Z

Link: CVE-2024-1483

Vulnrichment

Updated: 2024-08-01T18:40:21.239Z

NVD

Status : Analyzed

Published: 2024-04-16T00:15:08.353

Modified: 2025-02-03T15:02:46.710

Link: CVE-2024-1483

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1483", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-02-13T20:33:54.093Z", "datePublished": "2024-04-16T00:00:14.064Z", "dateUpdated": "2024-08-01T18:40:21.239Z"}, "containers": {"cna": {"title": "Path Traversal Vulnerability in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:53.707Z"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "source": {"advisory": "52a3855d-93ff-4460-ac24-9c7e4334198d", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "mflow", "product": "mflow", "cpes": ["cpe:2.3:a:mflow:mflow:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-18T15:18:32.964093Z", "id": "CVE-2024-1483", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:20:01.509Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.239Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.239Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1483", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-18T15:18:32.964093Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mflow:mflow:*:*:*:*:*:*:*:*"], "vendor": "mflow", "product": "mflow", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:19:55.608Z"}}], "cna": {"title": "Path Traversal Vulnerability in mlflow/mlflow", "source": {"advisory": "52a3855d-93ff-4460-ac24-9c7e4334198d", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:53.707Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1483", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:40:21.239Z", "dateReserved": "2024-02-13T20:33:54.093Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-04-16T00:00:14.064Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "D345B83A-B06E-4568-BD5F-0DA9CA081262", "versionEndExcluding": "2.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en mlflow/mlflow versi\u00f3n 2.9.2, que permite a los atacantes acceder a archivos arbitrarios en el servidor. Al crear una serie de solicitudes HTTP POST con par\u00e1metros 'artifact_location' y 'source' especialmente manipulados, utilizando un URI local con '#' en lugar de '?', un atacante puede atravesar la estructura de directorios del servidor. El problema se produce debido a una validaci\u00f3n insuficiente de la entrada proporcionada por el usuario en los controladores del servidor."}], "id": "CVE-2024-1483", "lastModified": "2025-02-03T15:02:46.710", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-16T00:15:08.353", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@huntr.dev", "type": "Secondary"}]}