CVE-2024-2928

HIGH

CVSS v3

7.5

HIGH

EPSS Score

91.6%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Technical Details

Published
6/6/2024

Frequently Asked Questions

What is CVE-2024-2928?

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Is CVE-2024-2928 actively exploited?

Active exploitation of CVE-2024-2928 has not been confirmed. The EPSS score is 91.6%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-2928?

CVE-2024-2928 has a CVSS v3 base score of 7.5 (HIGH severity).

Is CVE-2024-2928 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.