BIT-mlflow-2023-6974
Path Traversal vulnerability in mlflow (PyPI)
What is BIT-mlflow-2023-6974 About?
This vulnerability affects `tar-fs` due to "Improper Link Resolution Before File Access" and "Improper Limitation of a Pathname to a Restricted Directory" (Path Traversal). It allows an attacker to extract a maliciously crafted tar file, resulting in unauthorized file writes or overwrites outside the intended directory. This can lead to system compromise and is easily exploitable for an attacker who can supply the tar file.
Affected Software
Technical Details
The tar-fs package, in affected versions (before 1.16.4, 2.0.0-2.1.2, 3.0.0-3.0.7), is vulnerable to Path Traversal and Improper Link Resolution. Specifically, when extracting a tar archive, the library does not adequately sanitize or validate filenames supplied within the archive. An attacker can craft a tar file containing entries with malicious filenames that use directory traversal sequences (e.g., ../../) or absolute paths (e.g., /flag.txt). When such an archive is extracted, the tar-fs library will write these files to locations outside the intended extraction directory. This allows an attacker to write or overwrite arbitrary files on the filesystem where the application has write permissions, which can include sensitive system files, configuration files, or even web server content, leading to arbitrary code execution or full system compromise.
What is the Impact of BIT-mlflow-2023-6974?
Successful exploitation may allow attackers to write or overwrite arbitrary files on the filesystem, leading to data corruption, denial of service, or remote code execution and full system compromise.
What is the Exploitability of BIT-mlflow-2023-6974?
Exploitation is of low complexity. An attacker simply needs to provide a maliciously crafted tar archive to an application using the vulnerable tar-fs library. This is typically a remote vulnerability, for instance, through a file upload functionality that processes tar archives. No authentication or special privileges are required beyond the ability to submit the malicious tar file. The primary prerequisite is that the target application uses tar-fs to extract archives from untrusted sources. Special conditions include scenarios where ignore: (name) => false or similar lax filtering is applied during extraction. Risk factors are high whenever an application processes user-supplied tar files without robust input validation and path sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-mlflow-2023-6974?
Available Upgrade Options
- mlflow
- <2.9.2 → Upgrade to 2.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-6974
- https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555
- https://osv.dev/vulnerability/GHSA-59v3-898r-qwhj
- https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555
- https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393
What are Similar Vulnerabilities to BIT-mlflow-2023-6974?
Similar Vulnerabilities: CVE-2021-41098 , CVE-2020-28254 , CVE-2019-8386 , CVE-2018-1002105 , CVE-2017-1000350
