Executive Summary

Informations
Name CVE-2024-3573 First vendor Publication 2024-04-16
Vendor Cve Last vendor Modification 2024-04-16

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3573

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-29 Path Traversal: '..filename'

Sources (Detail)

https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc
https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2024-04-17 02:41:59
  • Multiple Updates
2024-04-17 02:41:58
  • Multiple Updates
2024-04-16 17:27:30
  • Multiple Updates
2024-04-16 09:27:24
  • First insertion