CVE-2024-8859

Name of the Vulnerable Software and Affected Versions mlflow/mlflow version 2.15.1

Description A path traversal issue exists when users configure and use the dbfs service. The vulnerability arises from directly concatenating the URL into the file protocol, resulting in an arbitrary file read issue. This occurs because only the path part of the URL is checked, while other parts like query and parameters are not handled. The issue is triggered when the dbfs service is configured and mounted to a local directory during usage.

Recommendations For mlflow/mlflow version 2.15.1, consider disabling the dbfs service until a patch is available to prevent potential exploitation. Restrict access to the dbfs service to minimize the risk of arbitrary file read. Avoid using the dbfs service with local directory mounts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.