High

mlflow

LFI Vulnerability via URI Fragment

A Local File Read (LFI) vulnerability was discovered in MLflow version 2.9.2, allowing attackers to read arbitrary files on the server by exploiting the fragment part of the URI. This vulnerability was patched in version 2.11.3.

Available publicly on Apr 23 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

zpbrent
Threat Overview

The vulnerability arises from the application's failure to validate '../' sequences in the URI fragment, a method used to bypass previous patches aimed at preventing LFI attacks through query strings. By crafting a malicious URI that includes the fragment marker '#' followed by '../' sequences, attackers can traverse the server's directory structure and access sensitive files such as '/etc/passwd'.

Attack Scenario

An attacker starts the MLflow web server and creates a malicious experiment with an artifact location pointing to a crafted URI containing the fragment marker '#' and directory traversal sequences. They then associate a run to this experiment, create a registered model, and link a model version to the malicious run. Finally, the attacker can read arbitrary files on the server, such as '/etc/passwd', by making a request to the model-versions endpoint with a crafted path parameter.

Who is affected

Users of MLflow version 2.9.2 are affected by this vulnerability. The risk is particularly high for environments where MLflow is exposed to untrusted users, as it allows for the reading of arbitrary files on the server, potentially leading to the disclosure of sensitive information.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.