Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path Traversal Vulnerability in mlflow/mlflow
Vulnerability Description
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler.
CVSS Information
N/A
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Mlflow 路径遍历漏洞
Vulnerability Description
Mlflow是一个机器学习生命周期的开源平台。 Mlflow 存在路径遍历漏洞,该漏洞源于对“source”参数验证不当。攻击者利用该漏洞在服务器上可以读取访问任意文件。
CVSS Information
N/A
Vulnerability Type
N/A