CVE-2024-3848

Description

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

How to fix CVE-2024-3848

To remediate CVE-2024-3848, upgrade the affected package to a fixed version below.

• —upgrade to 2.12.1 or later
• —upgrade to 2.12.1 or later
• —upgrade to f8d51e21523238280ebcfdb378612afd7844eca8 or later

Is CVE-2024-3848 being exploited?

Likely — EPSS is 77.1%, placing CVE-2024-3848 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

• from 0, < 2.12.1
• >= 2.9.2, < 2.12.1
• from 0, < f8d51e21523238280ebcfdb378612afd7844eca8, < f8d51e21523238280ebcfdb378612afd7844eca8 | from 0, < 2.12.1

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-rfqq-wq6w-72jm
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3848
• PATCHgithub.com/mlflow/mlflow
• WEBgithub.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8