Path Traversal: '\..\filename'
CVE-2023-2780
Summary
Path Traversal: "\..\filename" in mlflow versions 2.2.0 through 2.2.2. This issue is a bypass of the fix for CVE-2023-1177.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-29 - Path Traversal: '\..\filename'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
References
Advisory Timeline
- Published