Medium

mlflow

Denial of Service and Data Model Poisoning via URL Encoding in MLflow

A vulnerability in MLflow version 2.11.1 allows attackers to create multiple models with the same name using URL encoding, leading to Denial of Service or Data Model Poisoning. This issue was identified due to insufficient validation of URL-encoded model names, causing confusion and potential security risks when accessing models. The specific patch version fixing this issue was not mentioned.

Available publicly on May 03 2024

5.4

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Credit:

dan-xzero
Threat Overview

The core of the vulnerability lies in MLflow's handling of model names. Normally, MLflow prevents the creation of multiple models with the same name to maintain integrity and avoid confusion. However, by exploiting URL encoding, an attacker can bypass this restriction and create a model with a name that, once URL-decoded, matches an existing model's name. This flaw can lead to two major threats: Denial of Service, where legitimate users cannot access the correct model due to name collisions, and Data Model Poisoning, where an attacker's malicious model could be mistaken for a legitimate one.

Attack Scenario

An attacker first identifies a target model name to exploit. They then create a new model, using URL encoding to bypass MLflow's name uniqueness constraint, effectively creating a model with the same name as the target. When a legitimate user attempts to access the original model, they are instead directed to the attacker's model. This can result in either denial of service, where the user cannot access the needed model, or model poisoning, where the user unknowingly interacts with a malicious model.

Who is affected

The vulnerability primarily affects authenticated users of MLflow who rely on the integrity and uniqueness of model names for accessing and managing machine learning models. This includes data scientists, ML engineers, and any stakeholders in the ML lifecycle who interact with MLflow for model versioning, tracking, and deployment.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.