Home > Vulnerability Database > CVE-2024-1560

Mend.io Vulnerability Database

CVE-2024-1560

Date: April 15, 2024

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the "_delete_artifact_mlflow_artifacts" handler and "local_file_uri_to_path" function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the "delete_artifacts" function of "local_artifact_repo.py", which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831.

Language: Python

Severity Score

8.1

Related Resources (4)

Url: https://github.com/mlflow/mlflow

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1560

Url: https://huntr.com/bounties/4a34259c-3c8f-4872-b178-f27fbc876b98

Url: https://www.mend.io/vulnerability-database/CVE-2024-1560

Severity Score

8.1

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1560

Date: April 15, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?