CVE-2024-2928
Local File Inclusion vulnerability in mlflow (PyPI)
What is CVE-2024-2928 About?
This is a Local File Inclusion (LFI) vulnerability found in mlflow/mlflow that allows an attacker to read arbitrary files on the local filesystem. It stems from improper validation of URI fragments for directory traversal sequences. Exploiting this flaw is straightforward by manipulating URI fragments.
Affected Software
- mlflow
- <96f0b573a73d8eedd6735a2ce26e08859527be07
- <2.11.3
Technical Details
The Local File Inclusion (LFI) vulnerability in mlflow/mlflow, specifically in version 2.9.2, arises because the application fails to properly sanitize or validate URI fragments. Attackers can embed directory traversal sequences, such as '../', within the fragment part of a URI. When the application processes such a URI, it interprets the traversal sequences, allowing the attacker to navigate outside the intended directory and access arbitrary files on the server's local file system. This flaw bypasses previous patches that only focused on URI query string validation, indicating a lack of comprehensive validation across all components of a URI.
What is the Impact of CVE-2024-2928?
Successful exploitation may allow attackers to read sensitive system files, configuration files, source code, or other confidential data from the server's filesystem.
What is the Exploitability of CVE-2024-2928?
Exploitation is of low complexity and does not require authentication or elevated privileges; it can be performed by an unauthenticated remote attacker. The attacker needs to craft a malicious URI fragment containing directory traversal sequences. The primary prerequisite is that the application processes URI fragments in a way that allows them to influence file path resolution. The risk factors include web applications that incorporate user-supplied URI components into file system operations without sufficient sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| nuridincersaygili | Link | Arbitrary file read exploit for CVE-2024-2928 in mlflow |
What are the Available Fixes for CVE-2024-2928?
Available Upgrade Options
- mlflow
- <2.11.3 → Upgrade to 2.11.3
- mlflow
- <96f0b573a73d8eedd6735a2ce26e08859527be07 → Upgrade to 96f0b573a73d8eedd6735a2ce26e08859527be07
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-2928
- https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-242.yaml
- https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
- https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298
- https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
- https://osv.dev/vulnerability/GHSA-j46q-5pxx-8vmw
- https://osv.dev/vulnerability/PYSEC-2024-242
What are Similar Vulnerabilities to CVE-2024-2928?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-38688 , CVE-2021-39632 , CVE-2020-2521 , CVE-2019-15878
