{"id":"CVE-2024-3848","details":"A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.","aliases":["BIT-mlflow-2024-3848","GHSA-rfqq-wq6w-72jm","PYSEC-2024-244"],"modified":"2026-04-12T10:54:00.684666Z","published":"2024-05-16T09:15:14.543Z","references":[{"type":"REPORT","url":"https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610"},{"type":"FIX","url":"https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mlflow/mlflow","events":[{"introduced":"0"},{"fixed":"328242e01b766129396415be219cb96127097501"},{"fixed":"f8d51e21523238280ebcfdb378612afd7844eca8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.12.1"}]}}],"versions":["1.0.0","v0.2.0","v0.2.1","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.6.0","v0.7","v0.8.0","v0.8.1","v1.7.0","v2.2.0"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["331374387258698623515503197375262902471","56531494967603305558894176301696978897","156845208350900572074037141806451871031","236113965666297154310270274411699188635"]},"signature_version":"v1","source":"https://github.com/mlflow/mlflow/commit/328242e01b766129396415be219cb96127097501","signature_type":"Line","target":{"file":"mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java"},"id":"CVE-2024-3848-0490fec7","deprecated":false},{"digest":{"function_hash":"103832320670295227953645632588587077659","length":189},"signature_version":"v1","source":"https://github.com/mlflow/mlflow/commit/328242e01b766129396415be219cb96127097501","signature_type":"Function","target":{"function":"doGet","file":"mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java"},"id":"CVE-2024-3848-54219b73","deprecated":false},{"digest":{"function_hash":"248178710733966095301624193790593745960","length":483},"signature_version":"v1","source":"https://github.com/mlflow/mlflow/commit/328242e01b766129396415be219cb96127097501","signature_type":"Function","target":{"function":"testScoringServerWithValidPredictorRespondsToVersionCorrectly","file":"mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java"},"id":"CVE-2024-3848-9f1fee19","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["227586388277291964245723347465144503129","214612006548484888068671228559130409821","141702509437346544668394886097631250819","44304877576058785675745254216915397335"]},"signature_version":"v1","source":"https://github.com/mlflow/mlflow/commit/328242e01b766129396415be219cb96127097501","signature_type":"Line","target":{"file":"mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java"},"id":"CVE-2024-3848-d79dc76d","deprecated":false}],"vanir_signatures_modified":"2026-04-12T10:54:00Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3848.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}