Home > Vulnerability Database > CVE-2024-3573

Mend.io Vulnerability Database

CVE-2024-3573

Good to know:

Date: April 15, 2024

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

Language: Python

Severity Score

9.3

Related Resources (4)

Url: https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3573

Url: https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c

Url: https://www.mend.io/vulnerability-database/CVE-2024-3573

Severity Score

9.3

Weakness Type (CWE)

Path Traversal: '..filename'

CWE-29

Top Fix

Upgrade Version

Upgrade to version mlflow - 2.10.0

Learn More

CVSS v3.1

Base Score:	9.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3573

Good to know:

Date: April 15, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?