CVE-2023-1177
published 2023-03-24CVE-2023-1177: Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.47%
99.3th percentile
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 2.2.1 | 2.2.1 |
| lfprojects | mlflow | >= 0 < 2.3.1 | 2.3.1 |
| lfprojects | mlflow | >= 0 < 7162a50c654792c21f3e4a160eb1a0e6a34f6e6e | 7162a50c654792c21f3e4a160eb1a0e6a34f6e6e |
| lfprojects | mlflow | >= 0 < 2.2.1 | 2.2.1 |
| lfprojects | mlflow | >= 0 < 2.3.0 | 2.3.0 |
| mlflow | mlflow_mlflow | >= unspecified < 2.2.1 | 2.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2023_1177_MLflow_LFI { strings: $s1 = "/model-versions/get-artifact" $s2 = "path=passwd" condition: all of them }- →Look for HTTP POST requests to /ajax-api/2.0/mlflow/model-versions/create containing a 'source' field with a file:// URI (e.g., file:///etc/) — this is the path traversal injection point used to register a malicious model version source. ↗
- →Monitor GET requests to /model-versions/get-artifact with a 'path' parameter referencing sensitive files (e.g., path=passwd) — this endpoint is used to retrieve the traversed file content. ↗
- →Successful exploitation returns the content of /etc/passwd; detect responses matching the regex pattern 'root:.*:0:0:' in HTTP response bodies from the MLflow server. ↗
- →Use Shodan/FOFA to identify exposed MLflow instances via the query http.title:"mlflow" or title="mlflow" — these are potential targets for unauthenticated exploitation (no auth required, CVSS 9.8). ↗
- →The attack is a three-step chain: (1) create a registered model, (2) create a model version with a file:// source URI, (3) fetch the artifact via get-artifact endpoint. Correlate these three requests in sequence from the same source IP. ↗
- ·No authentication is required to exploit this vulnerability (PR:N, UI:N in CVSS vector), meaning any network-accessible MLflow instance running a vulnerable version is at risk without any credential bypass. ↗
- ·The exploit uses the 'file://' URI scheme in the model version 'source' field. Detection rules should account for variations such as file:///proc/, file:///var/, etc., not just file:///etc/. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
mlflow Path Traversal vulnerability
ghsa·2023-05-17·CVSS 9.8
CVE-2023-2780 [CRITICAL] CWE-29 mlflow Path Traversal vulnerability
mlflow Path Traversal vulnerability
mlflow prior to 2.3.0 is vulnerable to path traversal due to a bypass of the fix for CVE-2023-1177.
OSV
mlflow Path Traversal vulnerability
osv·2023-05-17·CVSS 9.8
CVE-2023-2780 [CRITICAL] mlflow Path Traversal vulnerability
mlflow Path Traversal vulnerability
mlflow prior to 2.3.0 is vulnerable to path traversal due to a bypass of the fix for CVE-2023-1177.
GHSA
Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
ghsa·2023-05-01·CVSS 9.8
[CRITICAL] Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the ``mlflow server`` or ``mlflow ui`` commands using an MLflow version older than **MLflow 2.3.1** may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the ``mlflow server`` and ``mlflow ui`` commands. Integrations that do not make use of ``mlflow server`` or ``mlflow ui`` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of t
OSV
Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
osv·2023-05-01·CVSS 9.8
[CRITICAL] Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
Remote file access vulnerability in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the ``mlflow server`` or ``mlflow ui`` commands using an MLflow version older than **MLflow 2.3.1** may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the ``mlflow server`` and ``mlflow ui`` commands. Integrations that do not make use of ``mlflow server`` or ``mlflow ui`` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of t
OSV
CVE-2023-1177: Path Traversal: '\
osv·2023-03-24
CVE-2023-1177 CVE-2023-1177: Path Traversal: '\
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
OSV
mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
osv·2023-03-24·CVSS 9.8
CVE-2023-1177 [CRITICAL] mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these c
GHSA
mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
ghsa·2023-03-24·CVSS 9.8
CVE-2023-1177 [CRITICAL] CWE-22 mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
mlflow is vulnerable to remote file access in `mlflow server` and `mlflow ui` CLIs
### Impact
Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the `mlflow server` or `mlflow ui` commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).
This issue only affects users and integrations that run the `mlflow server` and `mlflow ui` commands. Integrations that do not make use of `mlflow server` or `mlflow ui` are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these c
VulnCheck
lfprojects mlflow Path Traversal: '\..\filename'
vulncheck·2023·CVSS 9.3
CVE-2023-1177 [CRITICAL] lfprojects mlflow Path Traversal: '\..\filename'
lfprojects mlflow Path Traversal: '\..\filename'
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
Affected: lfprojects mlflow
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=src&vulnerability=cve-2023-1177; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-1177; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-06&host_type=src&vulnerability=cve-2023-1177; https://dashboard.shadowserver.org/statistics/honeypot/vulne
No detection rules found.
Nuclei
Mlflow <2.2.1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2023-1177 [CRITICAL] Mlflow <2.2.1 - Local File Inclusion
Mlflow <2.2.1 - Local File Inclusion
Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \..\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2023-1177
info:
name: Mlflow <2.2.1 - Local File Inclusion
author: iamnoooob,pdresearch
severity: critical
description: |
Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \..\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation c
No writeups or analysis indexed.
https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6ehttps://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6ehttps://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28
2023-03-24
Published
Exploited in the wild