CVE-2024-8859: Path Traversal in mlflow/mlflow
Description
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
Classification
CVE ID: CVE-2024-8859
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types
CWE-29 Path Traversal: '\..\filename'Affected Products
Vendor: mlflow
Product: mlflow/mlflow
Nuclei Template
http/cves/2024/CVE-2024-8859.yaml
Exploit Prediction Scoring System (EPSS)
EPSS Score: 18.01% (probability of being exploited)
EPSS Percentile: 94.76% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-8859https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb
https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654