- CVSS
- HIGH · 7.5 v3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Published
- 2024-04-16
- Weakness
- CWE-22
- Source
- nvd.nist.gov/vuln/detail/CVE-2024-1593
Description
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ’;’ character in URLs, attackers can manipulate the ‘params’ portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the ‘params’ part of the URL, enabling attacks similar to those described in previous reports but utilizing the ’;’ character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.
References
How GTK Cyber trains on this
AI security training at GTK Cyber covers the LLM and ML-pipeline vulnerability classes that vulnerabilities like CVE-2024-1593 fall into. Our hands-on courses are taught by Charles Givre and other practitioners who break and defend production AI systems.