{"data":{"id":"20c0109e-f096-4e45-b9f6-a514cf531565","title":"CVE-2024-8859: A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, co","summary":"MLflow version 2.15.1 has a path traversal vulnerability (a security flaw where attackers can access files outside intended directories) in its dbfs service that allows arbitrary file reading. The vulnerability exists because the service only validates the path portion of URLs while ignoring query parameters and other URL components, which attackers can exploit if the dbfs service is configured and mounted to a local directory.","solution":"A patch is available at https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-8859","publishedAt":"2025-03-20T14:15:44.463Z","cveId":"CVE-2024-8859","cweIds":["CWE-29"],"cvssScore":null,"cvssSeverity":null,"severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.26923,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"training_data","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}