Scheme Confusion Leading to Local File Read
A vulnerability in MLflow version 2.7.1 allows attackers to read local files due to scheme confusion in URI parsing. The issue was patched in version 2.10.0. The vulnerability arises from improper handling of URIs with empty or 'file' schemes, enabling attackers to bypass checks intended to restrict access to local files.
Available publicly on Apr 16 2024 | Available with Premium on Jan 11 2024
Threat Overview
The vulnerability stems from the 'is_local_uri' function's failure to correctly identify URIs with an empty scheme or 'file' scheme as local, combined with the 'is_file_uri' function not considering an empty scheme as equivalent to a 'file' scheme. This flaw allows attackers to craft URIs that bypass security checks, leading to unauthorized local file access. The impact is significant as it could enable attackers to read sensitive files on the server, including SSH keys, artifacts information, internal configurations, and other sensitive data.
Attack Scenario
An attacker crafts a malicious model version with a source URI designed to exploit the scheme confusion vulnerability ('//home/user/' or 'file://home/user/'). When the MLflow server processes this URI, it mistakenly treats it as a valid local file path due to the vulnerability. The attacker then requests an artifact from this model version, leading to unauthorized access to local files on the server.
Who is affected
Any deployments of MLflow version 2.7.1 or earlier without the patch applied are vulnerable. The vulnerability specifically affects servers where MLflow is used to manage and serve machine learning models and artifacts. Users and organizations relying on affected versions for model versioning and artifact storage are at risk of unauthorized file access.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.