1  info:
 2    name: mlflow
 3    cve: CVE-2024-2928
 4    summary: Local File Inclusion in mlflow
 5    details: |
 6      A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'.
 7    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 8    severity: HIGH
 9    security_advise: |
10      1. Upgrade to mlflow >= 2.11.3
11      2. Implement comprehensive validation of all parts of URIs to prevent directory traversal sequences
12      3. Regularly update and patch all software dependencies to mitigate vulnerabilities
13  rule: version >= "0" && version < "2.11.3"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2024-2928
16    - https://github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07
17    - https://github.com/mlflow/mlflow
18    - https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298