CVE-2024-2928 PoC — MLflow 安全漏洞

Source

https://github.com/nuridincersaygili/CVE-2024-2928

Associated Vulnerability

Title:MLflow 安全漏洞 (CVE-2024-2928)
Description:Mlflow是一个机器学习生命周期的开源平台。 MLflow 存在安全漏洞，该漏洞源于发现了一个本地文件包含 (LFI) 漏洞。

Description

Arbitrary file read exploit for CVE-2024-2928 in mlflow

Readme

# CVE-2024-2928
Arbitrary file read exploit for CVE-2024-2928 in mlflow (specifically in version 2.9.2, which was fixed in version 2.11.3)

The exploit code tested on Linux

Source: https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298

Usage python3 CVE-2024-2928.py -t 127.0.0.1 -p 5000

* After run, give the full path of the file
  * If the file exists and the process has sufficient permissions to read it, than the contents will be displayed
  * Otherwise "File not found" message will appear

* Press Ctrl + C to exit

File Snapshot


 [4.0K]  /data/pocs/9f38aa8dfb9c944f8858a85211c05d336bb83663
├── [2.6K]  CVE-2024-2928.py
├── [1.0K]  LICENSE
└── [ 535]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!