cnvd - cnvd-2024-35607

CNVD-2024-35607

Vulnerability from cnvd - Published: 2024-08-16

Title

Mlflow路径遍历漏洞

Description

Mlflow是一个机器学习生命周期的开源平台。 Mlflow存在路径遍历漏洞，该漏洞源于对URL参数处理不当。攻击者利用该漏洞可以获得对文件或目录的访问权限。

Severity

高

Patch Name

Mlflow路径遍历漏洞的补丁

Patch Description

Mlflow是一个机器学习生命周期的开源平台。 Mlflow存在路径遍历漏洞，该漏洞源于对URL参数处理不当。攻击者利用该漏洞可以获得对文件或目录的访问权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://github.com/artjen/mlflow/commit/b1e6f0cd1ddb03b70d158d03f6c697198ba85037

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-1593

Impacted products

Name
Mlflow Mlflow

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1593",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-1593"
    }
  },
  "description": "Mlflow\u662f\u4e00\u4e2a\u673a\u5668\u5b66\u4e60\u751f\u547d\u5468\u671f\u7684\u5f00\u6e90\u5e73\u53f0\u3002\n\nMlflow\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9URL\u53c2\u6570\u5904\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u5f97\u5bf9\u6587\u4ef6\u6216\u76ee\u5f55\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://github.com/artjen/mlflow/commit/b1e6f0cd1ddb03b70d158d03f6c697198ba85037",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-35607",
  "openTime": "2024-08-16",
  "patchDescription": "Mlflow\u662f\u4e00\u4e2a\u673a\u5668\u5b66\u4e60\u751f\u547d\u5468\u671f\u7684\u5f00\u6e90\u5e73\u53f0\u3002\r\n\r\nMlflow\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9URL\u53c2\u6570\u5904\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u5f97\u5bf9\u6587\u4ef6\u6216\u76ee\u5f55\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mlflow\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Mlflow Mlflow"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-1593",
  "serverity": "\u9ad8",
  "submitTime": "2024-04-19",
  "title": "Mlflow\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2024-1593 (GCVE-0-2024-1593)

Vulnerability from cvelistv5 – Published: 2024-04-16 00:00 – Updated: 2024-08-01 18:48

Summary

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

@huntr_ai

References

URL

Tags

https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9…

Impacted products

	Vendor	Product	Version
	mlflow	mlflow/mlflow	Affected: unspecified , ≤ latest (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mlflow:mlflow:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mlflow",
            "vendor": "mlflow",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1593",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-18T15:15:57.334624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T17:16:06.273Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:48:20.648Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mlflow/mlflow",
          "vendor": "mlflow",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the \u0027;\u0027 character in URLs, attackers can manipulate the \u0027params\u0027 portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the \u0027params\u0027 part of the URL, enabling attacks similar to those described in previous reports but utilizing the \u0027;\u0027 character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-16T11:10:53.439Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31"
        }
      ],
      "source": {
        "advisory": "dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31",
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal via Parameter Smuggling in mlflow/mlflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-1593",
    "datePublished": "2024-04-16T00:00:14.123Z",
    "dateReserved": "2024-02-16T21:29:53.956Z",
    "dateUpdated": "2024-08-01T18:48:20.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-35607

CVE-2024-1593 (GCVE-0-2024-1593)

Tags

Sightings

Nomenclature