AI PRP: Arbitrary File Read in mlflow CVE-2024-2928 #503
Assignees
Labels
Contributor main
The main issue a contributor is working on (top of the contribution queue).
Comments
frkngksl
changed the title
tooryx
added
the
Contributor queue
tooryx
added
Contributor main
|
Hi @frkngksl, You can work on this next. Cheers, |
|
Thanks @tooryx ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I want to develop a plugin for mlflow LFI - CVE-2024-2928
Vulnerability Information: This vulnerability enables malicious users to read sensitive files on the server. It also covers CVE-2023-6909 because it is a new bypass. Both CVEs doesn't exist in Tsunami Plugins.
Vulnerable Versions are below the 2.11.3
References:
The vulnerability requires five HTTP requests one is GET and the other four are POST. After creating a model and an experiment after linking them, one can read files on the filesystem.
The text was updated successfully, but these errors were encountered: