CVE-2023-6014
Authentication Bypass vulnerability in mlflow (PyPI)
What is CVE-2023-6014 About?
This is an Authentication Bypass vulnerability in MLflow, allowing attackers to arbitrarily create user accounts without any authentication. This directly compromises the security of the system by granting unauthorized access. Exploitation is simple and requires minimal technical skill, posing a significant risk.
Affected Software
Technical Details
The vulnerability allows an attacker to bypass the intended authentication mechanisms for account creation in MLflow. This typically occurs because a specific endpoint or function responsible for user registration or account provisioning either lacks proper authentication checks entirely or contains a logical flaw that can be circumvented. An attacker can send a request to this vulnerable endpoint with the necessary parameters for creating a new user account (e.g., username, password) and the system will process and create the account without verifying the requestor's identity or authorization. This means any attacker can arbitrarily create new user accounts, including administrative accounts if the system doesn't differentiate privileges during this bypassed creation process, thereby gaining unauthorized access to the MLflow instance.
What is the Impact of CVE-2023-6014?
Successful exploitation may allow attackers to create arbitrary user accounts, bypass authentication requirements, gain unauthorized access to the system, and potentially escalate privileges.
What is the Exploitability of CVE-2023-6014?
Exploitation of this authentication bypass vulnerability is of low complexity. It requires sending a crafted request to the MLflow server's account creation endpoint. No prior authentication is needed, as the vulnerability itself is in bypassing these controls. No specific privileges are required. This is a remote exploitation scenario, requiring network access to the MLflow server. The primary prerequisite is the presence of the unpatched MLflow instance with the flawed account creation logic. Risk factors are significantly increased if the MLflow instance is exposed to the internet, allowing any remote attacker to create accounts and gain initial access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-6014?
Available Upgrade Options
- mlflow
- <2.8.0 → Upgrade to 2.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mlflow/mlflow/commit/32de2154ef9f946160e5dc01a4d8a449dd0bd259
- https://huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4
- https://nvd.nist.gov/vuln/detail/CVE-2023-6014
- https://github.com/mlflow/mlflow/releases/tag/v2.8.0
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/issues/9669
- https://github.com/mlflow/mlflow/pull/9700
- https://osv.dev/vulnerability/GHSA-4qq5-mxxx-m6gg
What are Similar Vulnerabilities to CVE-2023-6014?
Similar Vulnerabilities: CVE-2021-34444 , CVE-2020-1358 , CVE-2019-11252 , CVE-2018-12613 , CVE-2017-0199
