Platform
python
Component
mlflow
Fixed in
2.9.3
CVE-2024-1593 describes a path traversal vulnerability discovered in the MLflow project. This flaw allows attackers to manipulate URL parameters, specifically the 'params' portion, by injecting path traversal sequences (using the ';' character). Successful exploitation could lead to unauthorized information disclosure or even server compromise, impacting deployments using vulnerable MLflow versions 2.9.2 and earlier.
The core of this vulnerability lies in MLflow's inadequate handling of URL parameters. By injecting sequences like ';../' into the 'params' portion of a URL, an attacker can bypass intended access controls. This allows them to read files or directories outside of the intended scope. The impact extends beyond simple information disclosure; a skilled attacker could potentially leverage this to execute arbitrary code on the server, depending on the server's configuration and the permissions of the MLflow process. This vulnerability shares similarities with other parameter smuggling attacks, highlighting the importance of robust input validation and sanitization.
CVE-2024-1593 was publicly disclosed on April 16, 2024. The vulnerability is present in the mlflow/mlflow repository. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation suggests it could become a target. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.31% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1593 is to upgrade to a patched version of MLflow. The MLflow team has not yet released a specific fixed version, so monitor their official channels for updates. As a temporary workaround, implement strict input validation on all URL parameters processed by MLflow. This should include sanitizing the 'params' parameter to prevent the injection of path traversal sequences. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious characters in the URL parameters. Regularly review and update MLflow's configuration to minimize potential attack surfaces.
Actualice la biblioteca mlflow a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1593 is a path traversal vulnerability in MLflow versions 2.9.2 and earlier, allowing attackers to manipulate URL parameters to access unauthorized files.
You are affected if you are using MLflow version 2.9.2 or earlier. Check your MLflow version and upgrade as soon as a patch is available.
Upgrade to a patched version of MLflow. Until a patch is released, implement strict input validation on URL parameters and consider using a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Monitor the MLflow GitHub repository and official MLflow documentation for updates and security advisories related to CVE-2024-1593.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.