Home > Vulnerability Database > CVE-2024-8859

Mend.io Vulnerability Database

CVE-2024-8859

Good to know:

Date: March 20, 2025

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/mlflow/mlflow

Url: https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654

Url: https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-8859

Url: https://www.mend.io/vulnerability-database/CVE-2024-8859

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Path Traversal: '..filename'

CWE-29

Top Fix

Upgrade Version

Upgrade to version mlflow - 2.17.0;mlflow - 2.17.0rc0;mlflow - 2.17.0;https://github.com/mlflow/mlflow.git - v2.17.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-8859

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?