CVE-2024-2928
HIGHCVSS v3
7.5
HIGH
EPSS Score
91.6%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.
Technical Details
- Published
- 6/6/2024
Frequently Asked Questions
What is CVE-2024-2928?
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.
Is CVE-2024-2928 actively exploited?
Active exploitation of CVE-2024-2928 has not been confirmed. The EPSS score is 91.6%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2024-2928?
CVE-2024-2928 has a CVSS v3 base score of 7.5 (HIGH severity).
Is CVE-2024-2928 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.