Cyber Resilience

CVE-2024-3848

HighPublic PoC

Published: 16 May 2024

Published
16 May 2024
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7610 98.9th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3848 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Establish Accounts (AML.T0021), AML.T0022, AML.T0023.

Deeper analysis

MLflow version 2.11.0 contains a path traversal vulnerability, CVE-2024-3848, that bypasses the earlier fix for CVE-2023-6909. The flaw lies in the handling of artifact URLs: a “#” character places an attacker-controlled path in the URL fragment, causing the application to skip protocol-scheme validation and convert the fragment directly into a filesystem path.

An unauthenticated remote attacker can therefore supply a crafted artifact URL that results in arbitrary file reads on the server, including SSH keys and cloud credentials. The vulnerability is rated CVSS 7.5 with network attack vector, low complexity, and high confidentiality impact.

The referenced commit f8d51e21523238280ebcfdb378612afd7844eca8 in the mlflow repository applies the corrective validation of URL fragments. The associated EPSS score is currently 0.7610 and reached a peak of 0.7952.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into…

more

the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
MLflow is an open-source platform for managing the end-to-end machine learning lifecycle, including experiment tracking, model packaging, and artifact storage, which fits 'Other Platforms'. The vulnerability in artifact URL handling is reported on an AI/ML bug bounty platform (huntr.com).

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Path traversal in MLflow (public-facing app) enables exploitation (T1190), arbitrary file reads for file/system discovery and collection (T1083, T1005), and stealing unsecured credentials/private keys from files (T1552.001, T1552.004).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0021: Establish AccountsAML.T0022AML.T0023

Affected Assets

lfprojects
mlflow
≤ 2.12.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References