Is CVE-2024-3848 in the CISA KEV catalog?

No. CVE-2024-3848 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2024-3848?

CVE-2024-3848 has a CVSS v3 base score of 7.5 (HIGH).

What is the EPSS score for CVE-2024-3848?

CVE-2024-3848 has an EPSS score of 43.28% (99th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2024-3848

HIGHEPSS 99th pctl

7.5

CVSS v3

NVD

Description

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

CWE-29 CWE-22Path Traversal

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityHigh

IntegrityNone

AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploit Intelligence

43.28%probability of exploitation in 30 days

99thpercentile

Very high risk: more likely to be exploited than 99% of all known CVEs.

References

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-01-24.