BIT-mlflow-2024-3573
Local File Inclusion vulnerability in mlflow (PyPI)
What is BIT-mlflow-2024-3573 About?
The mlflow/mlflow project is vulnerable to Local File Inclusion (LFI) due to improper URI parsing, allowing circumvention of checks to read arbitrary files. Attackers can bypass security mechanisms and access sensitive system files. Exploitation is moderately easy, requiring specially crafted URIs in model versions.
Affected Software
- mlflow
- <2.10.0
- <438a450714a3ca06285eeea34bdc6cf79d7f6cbc
Technical Details
The vulnerability in mlflow/mlflow stems from the is_local_uri function's failure to correctly parse URIs with empty or 'file' schemes, causing them to be misclassified as non-local. This improper sanitization allows an attacker to craft a malicious model version with a specially designed source parameter in its URI. By leveraging directory traversal techniques (e.g., ../../) within this source parameter, an attacker can bypass the intended checks and trick the application into reading arbitrary files from the local filesystem, including files outside the intended model directory, within at least two directory levels from the server's root.
What is the Impact of BIT-mlflow-2024-3573?
Successful exploitation may allow attackers to read arbitrary files on the system, including sensitive configuration files, source code, or credentials, leading to information disclosure and potential further compromise.
What is the Exploitability of BIT-mlflow-2024-3573?
Exploitation of this LFI vulnerability has moderate complexity. It requires an attacker to be able to upload or modify a model version within MLflow, specifically setting a malicious source parameter. This implies some level of authentication or access to the MLflow tracking server. The exploitation is typically remote, as the attacker would interact with the MLflow API to upload the malicious model. No elevated privileges are strictly required beyond the ability to manage model versions. The primary risk factor is the presence of an accessible MLflow instance where users can submit or modify model metadata and URIs without sufficient validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-mlflow-2024-3573?
Available Upgrade Options
- mlflow
- <2.10.0 → Upgrade to 2.10.0
- mlflow
- <438a450714a3ca06285eeea34bdc6cf79d7f6cbc → Upgrade to 438a450714a3ca06285eeea34bdc6cf79d7f6cbc
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-243.yaml
- https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c
- https://osv.dev/vulnerability/GHSA-hq88-wg7q-gp4g
- https://nvd.nist.gov/vuln/detail/CVE-2024-3573
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc
- https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c
- https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc
- https://osv.dev/vulnerability/PYSEC-2024-243
- https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc
What are Similar Vulnerabilities to BIT-mlflow-2024-3573?
Similar Vulnerabilities: CVE-2023-50164 , CVE-2023-38038 , CVE-2023-28432 , CVE-2022-31513 , CVE-2022-42940
