cbcvebase.
CVE-2023-6023
published 2023-11-16

CVE-2023-6023: An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.00%
85.7th percentile
An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
vertaaivertaai_modeldbunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/artifact/getArtifact?artifact_path=../../../../../etc/passwd
path/api/v1/artifact/getArtifact
  • Look for GET requests to /api/v1/artifact/getArtifact with path traversal sequences (e.g., ../) in the artifact_path parameter.
  • Successful exploitation returns HTTP 200 with Content-Type header containing 'application/octet-stream' and 'filename=' alongside file contents (e.g., /etc/passwd pattern root:.*:0:0:) in the response body.
  • Use Shodan query 'http.favicon.hash:-2097033750' or 'http.title:"verta ai"' to identify exposed ModelDB instances.
  • Use FOFA query 'icon_hash=-2097033750' or 'title="verta ai"' to identify exposed ModelDB instances.
  • ·The vulnerability is unauthenticated (PR:N) and network-accessible (AV:N), meaning no credentials are required to exploit the path traversal endpoint.
  • ·The root cause is the complete absence of validation and sanitization on the artifact_path parameter; any file readable by the server process can be exfiltrated.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.