How severe is CVE-2024-3573?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.3 out of 10.

What type of vulnerability is CVE-2024-3573?

This is classified as CWE-29, which is a common weakness in software security.

CVE-2024-3573

CRITICAL Year: 2024

CVSS v3 Score

9.3

Critical

Weakness Type

CWE-29

View all →

Vulnerability Description

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

CVE-2024-2624

CRITICAL

CVSS:9.4(Critical)

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lol...

CWE-292024

CVE-2024-5211

CRITICAL

CVSS:9.1(Critical)

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables t...

CWE-292024

CVE-2024-5926

CRITICAL

CVSS:9.1(Critical)

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue i...

CWE-292024

CVE-2024-7957

CRITICAL

CVSS:9.1(Critical)

An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-contro...

CWE-292024

CVE-2024-8537

CRITICAL

CVSS:9.1(Critical)

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete ar...

CWE-292024

CVE-2024-8769

CRITICAL

CVSS:9.1(Critical)

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user...

CWE-292024

CVE-2024-3573

Vulnerability Description

Related Vulnerabilities

CVE-2024-2624

CVE-2024-5211

CVE-2024-5926

CVE-2024-7957

CVE-2024-8537

CVE-2024-8769