High

mlflow

Path Traversal via Model Version Source

A path traversal vulnerability was identified in MLflow version 2.9.2, allowing attackers to read arbitrary files on the server. The issue resides in the `_create_model_version()` function, which improperly validates the `source` parameter. This vulnerability was patched in a version following 2.9.2.

Available publicly on Apr 16 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
Threat Overview

The vulnerability stems from inadequate validation of the source parameter in the _create_model_version() function. Specifically, the _validate_source() function fails to properly sanitize the source parameter, allowing an attacker to craft a source URI that bypasses path traversal checks. This crafted URI can then be used to read arbitrary files on the server when interacting with the /model-versions/get-artifact handler, which incorrectly constructs the final path for artifact retrieval based on the unsanitized source.

Attack Scenario

An attacker crafts a malicious source URI containing encoded path traversal sequences and submits it through the model version creation process. The system incorrectly validates this URI, allowing it to be used in subsequent requests to retrieve artifacts. The attacker then makes a request to the /model-versions/get-artifact endpoint with a normal-looking path parameter, which, combined with the malicious source, results in arbitrary file access on the server.

Who is affected

Any deployments of MLflow version 2.9.2 are vulnerable to this attack, potentially allowing attackers to read arbitrary files on the server. This affects administrators and users of MLflow who rely on the integrity and confidentiality of their data.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.