CVE-2024-8859 Scanner
CVE-2024-8859 Scanner - Local File Inclusion vulnerability in Mlflow
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
20 days 11 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Mlflow is an open-source platform for managing the machine learning lifecycle, including experimentation, reproducibility, and deployment. It is widely adopted by data scientists and machine learning engineers for tracking experiments, packaging code, and sharing models. Mlflow integrates seamlessly into existing ML workflows, making it a valuable tool for both research and production environments.
Local File Inclusion (LFI) vulnerabilities allow attackers to read sensitive files on a server through improper handling of file paths. This can be exploited via path traversal techniques, which manipulate file paths to access files outside the intended directory scope. LFI vulnerabilities are critical as they can expose system configurations, credentials, and other sensitive information.
In Mlflow, the vulnerability arises from insufficient validation of file paths in the context of artifact handling and API endpoints. Specifically, attackers can leverage path traversal sequences (`../../..`) in API requests to access files such as `/etc/passwd`. This vulnerability affects Mlflow versions prior to 2.17.0.
Successful exploitation could allow attackers to obtain sensitive information, modify data, and execute unauthorized operations on the affected system. It may also enable further attacks by exposing configuration files or credentials used within the system.
REFERENCES