Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-1593

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.

Published

2024-04-16T00:15:09.247

Last Modified

2025-02-03T15:41:20.283

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lfprojects	mlflow	< 2.11.3	Yes

References

https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)