High

mlflow

Path Traversal via Fragment Component in Artifact Location

A vulnerability in mlflow version 2.9.2 allows attackers to read arbitrary files through path traversal using the fragment component in the `artifact_location` field when creating an experiment. This issue, similar to CVE-2023-6909 but exploiting the fragment component, was patched in the version following 2.9.2.

Available publicly on Apr 16 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
Threat Overview

The vulnerability stems from the improper handling of the fragment component (#) in the artifact_location URI when creating an experiment in mlflow. Attackers can exploit this by crafting a malicious artifact_location that includes a path traversal sequence following a #, leading to arbitrary file read capabilities. This could potentially expose sensitive information stored on the server, compromising the integrity and confidentiality of the system.

Attack Scenario

An attacker crafts a request to create a new experiment in mlflow, specifying an artifact_location with a path traversal sequence following a #. This allows the attacker to later create a registered model version that points to an arbitrary file on the server. By requesting the artifact of this model version, the attacker can read the contents of the file, such as /etc/passwd, thereby gaining access to sensitive information.

Who is affected

Any system running mlflow version 2.9.2 that allows users to specify artifact_location when creating experiments is vulnerable. This includes environments where mlflow is used for managing machine learning experiments and models, potentially exposing sensitive files on the server to unauthorized access.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.