CVE-2024-2928 — AI Deep Analysis Summary

🚨 **Essence**: MLflow suffers from a **Local File Inclusion (LFI)** / **Path Traversal** flaw due to improper URI fragment parsing.…

🛡️ **Root Cause**: **CWE-29** (Path Traversal). The vulnerability stems from **improper URI fragment parsing** in the MLflow application logic, allowing malicious paths to bypass security controls.

📦 **Affected**: **MLflow** (specifically versions **prior to 2.11.3**). Tested on version **2.9.2**. The component is `mlflow/mlflow`.

🕵️ **Attacker Capabilities**: Can perform **Arbitrary File Read**. If the process has sufficient permissions, it can view the **contents** of any file on the server. This exposes **sensitive information**.

⚠️ **Exploitation Threshold**: **Low**. The exploit is a **Local File Inclusion** via URI parsing.…

💣 **Public Exploit**: **YES**. Multiple PoCs are available: 1. Python script (`CVE-2024-2928.py`) on GitHub. 2. Nuclei template for automated scanning. 3. Usage: `python3 CVE-2024-2928.py -t 127.0.0.1 -p 5000`.

🔍 **Self-Check**: 1. Check MLflow version (if < 2.11.3, you are vulnerable). 2. Use **Nuclei** with the CVE-2024-2928 template. 3. Test with the provided Python PoC against port 5000.

✅ **Official Fix**: **YES**. Fixed in version **2.11.3**. Commit `96f0b573a73d8eedd6735a2ce26e08859527be07` addresses the issue.

🚧 **No Patch?**: 1. **Upgrade** to MLflow >= 2.11.3 immediately. 2. If upgrade is impossible, restrict network access to the MLflow service. 3.…

🔥 **Urgency**: **HIGH**. Public exploits exist, and the impact involves **data leakage**. Immediate patching or mitigation is recommended to prevent unauthorized file access.