CVE-2024-1483
Path Traversal vulnerability in mlflow (PyPI)

Path Traversal No known exploit

What is CVE-2024-1483 About?

This vulnerability in mlflow/mlflow allows attackers to access arbitrary files on the server through a path traversal flaw. By crafting specific HTTP POST requests, an attacker can traverse the directory structure and read sensitive files. Exploitation is moderate, requiring specific input crafting.

Affected Software

mlflow <2.12.1

Technical Details

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2 due to insufficient validation of user-supplied input. An attacker can exploit this by sending a series of HTTP POST requests where the 'artifact_location' and 'source' parameters are specially crafted. Specifically, by using a local URI that includes a '#' character instead of a '?', followed by path traversal sequences (e.g., '..%2F'), the server fails to properly sanitize the path. This allows the attacker to bypass directory restrictions and access files outside the intended directory, traversing the server's file system.

What is the Impact of CVE-2024-1483?

Successful exploitation may allow attackers to read arbitrary files from the server's file system, leading to information disclosure, unauthorized access to sensitive data, or further system compromise.

What is the Exploitability of CVE-2024-1483?

Exploitation is of moderate complexity, requiring an understanding of HTTP POST requests and the ability to craft specific 'artifact_location' and 'source' parameters with path traversal sequences. No authentication is explicitly mentioned, suggesting it might be possible for unauthenticated attackers if artifact creation/retrieval endpoints are exposed. The attack is remote, leveraging HTTP requests. There are no specific privilege requirements, as the vulnerability lies in the input validation mechanism. Special conditions include the use of '#' instead of '?' in the URI. Risk factors include publicly exposed MLflow instances and inadequate input sanitization in web applications.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-1483?

Available Upgrade Options

  • mlflow
    • <2.12.1 → Upgrade to 2.12.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-1483?

Similar Vulnerabilities: CVE-2024-1560 , CVE-2023-46749 , CVE-2023-6831 , CVE-2022-4303 , CVE-2022-45868

All Rights reserved 2025
Privacy Policy