CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27134 – Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf
https://notcve.org/view.php?id=CVE-2024-27134
25 Nov 2024 — Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. • https://github.com/mlflow/mlflow/pull/10874 • CWE-276: Incorrect Default Permissions CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 85%CPEs: 1EXPL: 1CVE-2024-2928 – Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-2928
06 Jun 2024 — A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that... • https://github.com/nuridincersaygili/CVE-2024-2928 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-0520 – Remote Code Execution due to Full Controlled File Write in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-0520
06 Jun 2024 — A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path full... • https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d • CWE-23: Relative Path Traversal •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3099 – Denial of Service and Data Model Poisoning via URL Encoding in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-3099
06 Jun 2024 — A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned m... • https://github.com/efekaanakkar/CVE-2024-30998 • CWE-475: Undefined Behavior for Input to API •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4263 – Improper Access Control in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-4263
16 May 2024 — A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delet... • https://github.com/mlflow/mlflow/commit/b43e0e3de5b500554e13dc032ba2083b2d6c94b8 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 19%CPEs: 1EXPL: 0CVE-2024-3848 – Path Traversal Bypass in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-3848
16 May 2024 — A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, in... • https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3573 – Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-3573
16 Apr 2024 — mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two director... • https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1558 – Path Traversal Vulnerability in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-1558
16 Apr 2024 — A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of... • https://huntr.com/bounties/7f4dbcc5-b6b3-43dd-b310-e2d0556a8081 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1594 – Local File Read via Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-1594
16 Apr 2024 — A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect. Existe una vulnerabilidad de path traversal en ... • https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d396f3e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1593 – Path Traversal via Parameter Smuggling in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2024-1593
16 Apr 2024 — A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Succes... • https://huntr.com/bounties/dbdc6bd6-d09a-46f2-9d9c-5138a14b6e31 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •