cbcvebase.
CVE-2023-1177
published 2023-03-24

CVE-2023-1177: Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.47%
99.3th percentile
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

Affected

6 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow< 2.2.12.2.1
lfprojectsmlflow>= 0 < 2.3.12.3.1
lfprojectsmlflow>= 0 < 7162a50c654792c21f3e4a160eb1a0e6a34f6e6e7162a50c654792c21f3e4a160eb1a0e6a34f6e6e
lfprojectsmlflow>= 0 < 2.2.12.2.1
lfprojectsmlflow>= 0 < 2.3.02.3.0
mlflowmlflow_mlflow>= unspecified < 2.2.12.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/ajax-api/2.0/mlflow/registered-models/create
url/ajax-api/2.0/mlflow/model-versions/create
url/model-versions/get-artifact?path=passwd&name=AJAX-API&version={{version}}
pathfile:///etc/
commandPOST /ajax-api/2.0/mlflow/model-versions/create with source=file:///etc/
yara
rule CVE_2023_1177_MLflow_LFI { strings: $s1 = "/model-versions/get-artifact" $s2 = "path=passwd" condition: all of them }
  • Look for HTTP POST requests to /ajax-api/2.0/mlflow/model-versions/create containing a 'source' field with a file:// URI (e.g., file:///etc/) — this is the path traversal injection point used to register a malicious model version source.
  • Monitor GET requests to /model-versions/get-artifact with a 'path' parameter referencing sensitive files (e.g., path=passwd) — this endpoint is used to retrieve the traversed file content.
  • Successful exploitation returns the content of /etc/passwd; detect responses matching the regex pattern 'root:.*:0:0:' in HTTP response bodies from the MLflow server.
  • Use Shodan/FOFA to identify exposed MLflow instances via the query http.title:"mlflow" or title="mlflow" — these are potential targets for unauthenticated exploitation (no auth required, CVSS 9.8).
  • The attack is a three-step chain: (1) create a registered model, (2) create a model version with a file:// source URI, (3) fetch the artifact via get-artifact endpoint. Correlate these three requests in sequence from the same source IP.
  • ·No authentication is required to exploit this vulnerability (PR:N, UI:N in CVSS vector), meaning any network-accessible MLflow instance running a vulnerable version is at risk without any credential bypass.
  • ·The exploit uses the 'file://' URI scheme in the model version 'source' field. Detection rules should account for variations such as file:///proc/, file:///var/, etc., not just file:///etc/.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.