Home > Vulnerability Database > CVE-2024-2928

Mend.io Vulnerability Database

CVE-2024-2928

Good to know:

Date: June 6, 2024

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Language: Python

Severity Score

7.5

Related Resources (5)

Url: https://github.com/mlflow/mlflow

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-2928

Url: https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07

Url: https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298

Url: https://www.mend.io/vulnerability-database/CVE-2024-2928

Severity Score

7.5

Weakness Type (CWE)

Path Traversal: '..filename'

CWE-29

Top Fix

Upgrade Version

Upgrade to version mlflow - 2.11.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-2928

Good to know:

Date: June 6, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?