CVE-2023-2356
Relative Path Traversal vulnerability in mlflow (PyPI)
What is CVE-2023-2356 About?
This vulnerability is a Relative Path Traversal flaw in the GitHub repository mlflow/mlflow prior to version 2.3.1. It allows an attacker to access files and directories outside of an intended path using relative path sequences. The impact can range from information disclosure to potential arbitrary file manipulation, making exploitation relatively straightforward.
Affected Software
- mlflow
- <2.3.1
- <f73147496e05c09a8b83d95fb4f1bf86696c6342
Technical Details
The Relative Path Traversal vulnerability in mlflow/mlflow (prior to 2.3.1) arises when the application incorrectly handles file paths that include relative path specifiers. An attacker can supply input containing sequences like ../ (dot-dot-slash) in a path parameter or component. Instead of sanitizing or normalizing these paths, the application attempts to resolve them relative to a base directory, but allows the ../ sequence to navigate upwards in the directory structure. This bypasses security checks meant to confine file access to a specific directory. Consequently, an attacker can access, read, or potentially write to files and directories located outside the intended application sandbox, leading to unauthorized access to sensitive data or configuration files.
What is the Impact of CVE-2023-2356?
Successful exploitation may allow attackers to read, write, or modify arbitrary files on the system, leading to information disclosure, unauthorized data manipulation, or potentially remote code execution if sensitive scripts or configurations are altered.
What is the Exploitability of CVE-2023-2356?
Exploitation of this relative path traversal vulnerability is of low complexity. It involves crafting inputs with specific relative path sequences and does not require sophisticated tools. Authentication requirements depend on whether the vulnerable file handling functionality is accessible pre-authentication; if so, no authentication is needed. Privilege requirements are typically low, as the vulnerability lies in the application logic itself. Exploitation can be local or remote, depending on how the vulnerable input is processed. There are no specific special conditions other than the application processing user-supplied paths without proper sanitization. The likelihood of exploitation increases if mlflow instances are publicly exposed and accept user-controlled file paths.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-2356?
Available Upgrade Options
- mlflow
- <2.3.1 → Upgrade to 2.3.1
- mlflow
- <f73147496e05c09a8b83d95fb4f1bf86696c6342 → Upgrade to f73147496e05c09a8b83d95fb4f1bf86696c6342
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2023-68
- https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342
- https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342
- https://nvd.nist.gov/vuln/detail/CVE-2023-2356
- https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896
- https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896
- https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-68.yaml
- https://github.com/mlflow/mlflow
- https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896
What are Similar Vulnerabilities to CVE-2023-2356?
Similar Vulnerabilities: CVE-2022-4244 , CVE-2018-19609 , CVE-2018-19296 , CVE-2020-25695 , CVE-2021-3642
