CVE-2024-3848
Published: 16 May 2024
Summary
CVE-2024-3848 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Establish Accounts (AML.T0021), AML.T0022, AML.T0023.
Deeper analysis
MLflow version 2.11.0 contains a path traversal vulnerability, CVE-2024-3848, that bypasses the earlier fix for CVE-2023-6909. The flaw lies in the handling of artifact URLs: a “#” character places an attacker-controlled path in the URL fragment, causing the application to skip protocol-scheme validation and convert the fragment directly into a filesystem path.
An unauthenticated remote attacker can therefore supply a crafted artifact URL that results in arbitrary file reads on the server, including SSH keys and cloud credentials. The vulnerability is rated CVSS 7.5 with network attack vector, low complexity, and high confidentiality impact.
The referenced commit f8d51e21523238280ebcfdb378612afd7844eca8 in the mlflow repository applies the corrective validation of URL fragments. The associated EPSS score is currently 0.7610 and reached a peak of 0.7952.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1773
Vulnerability details
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into…
more
the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MLflow is an open-source platform for managing the end-to-end machine learning lifecycle, including experiment tracking, model packaging, and artifact storage, which fits 'Other Platforms'. The vulnerability in artifact URL handling is reported on an AI/ML bug bounty platform (huntr.com).
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in MLflow (public-facing app) enables exploitation (T1190), arbitrary file reads for file/system discovery and collection (T1083, T1005), and stealing unsecured credentials/private keys from files (T1552.001, T1552.004).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.