I want to develop a plugin for mlflow LFI - CVE-2024-2928
Vulnerability Information: This vulnerability enables malicious users to read sensitive files on the server. It also covers CVE-2023-6909 because it is a new bypass. Both CVEs doesn't exist in Tsunami Plugins.
The vulnerability requires five HTTP requests one is GET and the other four are POST. After creating a model and an experiment after linking them, one can read files on the filesystem.
Hi,
I want to develop a plugin for mlflow LFI - CVE-2024-2928
Vulnerability Information: This vulnerability enables malicious users to read sensitive files on the server. It also covers CVE-2023-6909 because it is a new bypass. Both CVEs doesn't exist in Tsunami Plugins.
Vulnerable Versions are below the 2.11.3
References:
The vulnerability requires five HTTP requests one is GET and the other four are POST. After creating a model and an experiment after linking them, one can read files on the filesystem.