CVE-2024-1560

Path Traversal Vulnerability in mlflow/mlflow

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831.

Existe una vulnerabilidad de path traversal en el repositorio mlflow/mlflow, específicamente dentro de la funcionalidad de eliminación de artefactos. Los atacantes pueden eludir la validación de rutas explotando el proceso de doble decodificación en el controlador `_delete_artifact_mlflow_artifacts` y la función `local_file_uri_to_path`, lo que permite la eliminación de directorios arbitrarios en el sistema de archivos del servidor. Esta vulnerabilidad se debe a una operación adicional entre comillas en la función `delete_artifacts` de `local_artifact_repo.py`, que no sanitiza adecuadamente las rutas proporcionadas por el usuario. El problema está presente hasta la versión 2.9.2, a pesar de los intentos de solucionar un problema similar en CVE-2023-6831.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-15 CVE Reserved
2024-04-16 CVE Published
2024-08-09 CVE Updated
2025-02-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (1)

URL	Tag	Source
https://huntr.com/bounties/4a34259c-3c8f-4872-b178-f27fbc876b98

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Lfprojects Search vendor "Lfprojects"		Mlflow Search vendor "Lfprojects" for product "Mlflow"				*		-		Affected
Mlflow Search vendor "Mlflow"		Mlflow Search vendor "Mlflow" for product "Mlflow"				*		-		Affected