CVE-2024-3848
Vulnerability from cvelistv5
Published
2024-05-16 09:03
Modified
2024-08-01 20:26
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Path Traversal Bypass in mlflow/mlflow
References
security@huntr.devhttps://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8
security@huntr.devhttps://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610
Impacted products
mlflowmlflow/mlflow
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:lfprojects:mlflow:2.11.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mlflow",
            "vendor": "lfprojects",
            "versions": [
              {
                "lessThan": "2.12.1",
                "status": "affected",
                "version": "2.11.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3848",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-16T13:51:45.744148Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T15:45:57.489Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:26:57.075Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mlflow/mlflow",
          "vendor": "mlflow",
          "versions": [
            {
              "lessThan": "2.12.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application\u0027s handling of artifact URLs, where a \u0027#\u0027 character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-29",
              "description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-16T09:03:47.178Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610"
        },
        {
          "url": "https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8"
        }
      ],
      "source": {
        "advisory": "8d5aadaa-522f-4839-b41b-d7da362dd610",
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal Bypass in mlflow/mlflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-3848",
    "datePublished": "2024-05-16T09:03:47.178Z",
    "dateReserved": "2024-04-15T17:50:00.311Z",
    "dateUpdated": "2024-08-01T20:26:57.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3848\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-05-16T09:15:14.543\",\"lastModified\":\"2024-05-16T13:03:05.353\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application\u0027s handling of artifact URLs, where a \u0027#\u0027 character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de path traversal en mlflow/mlflow versi\u00f3n 2.11.0, identificada como una derivaci\u00f3n para el CVE-2023-6909 abordado anteriormente. La vulnerabilidad surge del manejo de las URL de artefactos por parte de la aplicaci\u00f3n, donde se puede usar un car\u00e1cter \u0027#\u0027 para insertar una ruta en el fragmento, omitiendo efectivamente la validaci\u00f3n. Esto permite a un atacante construir una URL que, cuando se procesa, ignora el esquema del protocolo y utiliza la ruta proporcionada para acceder al sistema de archivos. Como resultado, un atacante puede leer archivos arbitrarios, incluida informaci\u00f3n confidencial como SSH y claves de la nube, aprovechando la forma en que la aplicaci\u00f3n convierte la URL en una ruta del sistema de archivos. El problema surge de una validaci\u00f3n insuficiente de la parte del fragmento de la URL, lo que lleva a una lectura arbitraria del archivo a trav\u00e9s del path traversal.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-29\"}]}],\"references\":[{\"url\":\"https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610\",\"source\":\"security@huntr.dev\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.