CVE-2024-2928 Scanner

Product Overview: MLflow is an open-source platform used for managing the end-to-end machine learning lifecycle. It is employed by data scientists and machine learning engineers for tracking experiments, packaging code for deployment, and reproducing results across different platforms.

Vulnerability Overview: The vulnerability allows attackers to perform path traversal attacks due to improper URI fragment parsing in MLflow versions earlier than 2.11.3. This can result in reading arbitrary files on the server, such as configuration files or sensitive data files.

Vulnerability Details: The issue arises from improper handling of URI fragments, which allows an attacker to bypass access controls and traverse directories. This vulnerability can be exploited by sending specific requests to endpoints that do not validate input properly.

Possible Effects: If exploited, this vulnerability allows attackers to read arbitrary files from the system, potentially exposing sensitive information such as configuration files, user credentials, or other confidential data.

REFERENCES

• Huntr CVE-2024-2928
• NVD - CVE-2024-2928