Path Traversal Bypass in Artifact Retrieval
A vulnerability in mlflow version 2.11.0 allows for path traversal due to improper validation of artifact URLs. By appending a '#' to the URL, attackers can bypass security checks and read arbitrary files. This issue was patched in version 2.12.1.
Available publicly on Apr 26 2024 | Available with Premium on Apr 17 2024
Threat Overview
The vulnerability stems from the application's handling of artifact URLs. Specifically, the security mechanism in place to prevent path traversal attacks can be bypassed by including a '#' character in the URL, which causes the application to interpret the subsequent path as a fragment, thus skipping validation. This flaw allows attackers to construct URLs that, when processed by the application, result in arbitrary file read access on the server.
Attack Scenario
An attacker starts by creating an experiment in mlflow with an artifact location that includes a path traversal sequence preceded by a '#'. They then create a run and a registered model linked to this run, specifying a file (e.g., '/etc/passwd') as the source. Finally, the attacker can request this file through the mlflow interface, leading to unauthorized file access.
Who is affected
Any deployments of mlflow version 2.11.0 where users can create experiments and specify artifact locations are vulnerable. This includes environments where mlflow is exposed to untrusted users who can exploit this vulnerability to read arbitrary files on the server.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.