### [CVE-2024-3848](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3848)
![](https://img.shields.io/static/v1?label=Product&message=mlflow%2Fmlflow&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2.11.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-29%20Path%20Traversal%3A%20'%5C..%5Cfilename'&color=brightgreen)

### Description

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/ARPSyndicate/cve-scores