cbcvebase.
CVE-2023-6831
published 2023-12-15

CVE-2023-6831: Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

PriorityP354high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EXPLOIT
EPSS
3.29%
86.9th percentile
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Affected

6 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow< 2.9.22.9.2
lfprojectsmlflow<= 2.9.2
lfprojectsmlflow>= 0 < 2.9.22.9.2
lfprojectsmlflow>= 0 < 1da75dfcecd4d169e34809ade55748384e8af6c11da75dfcecd4d169e34809ade55748384e8af6c1
lfprojectsmlflow0 – 2.9.2
mlflowmlflow_mlflowunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /api/2.0/mlflow-artifacts/artifacts/{{randstr}} HTTP/1.1
urlDELETE /api/2.0/mlflow-artifacts/artifacts/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252fpasswd HTTP/1.1
path/api/2.0/mlflow-artifacts/artifacts/
  • Detect double-URL-encoded path traversal sequences in DELETE requests to the MLflow artifacts API endpoint. The payload uses %252E%252E%252F (double-encoded '../') to escape the artifact root.
  • A successful exploitation attempt returns HTTP 500 with a JSON body of '{}' and headers containing both 'Content-Type: application/json' and 'Server: gunicorn'.
  • Attackers first stage a PUT request to create an artifact, then issue a DELETE with a traversal path to delete arbitrary files. Monitor for sequential PUT then DELETE to /api/2.0/mlflow-artifacts/artifacts/ from the same source.
  • Use Shodan/FOFA/Google dorks to identify exposed MLflow instances as potential targets: Shodan 'http.title:"mlflow"', FOFA 'title="mlflow"' or 'app="mlflow"', Google 'intitle:"mlflow"'.
  • ·The vulnerability requires authentication (PR:L). Exploitation is only possible by a low-privileged authenticated user, not unauthenticated attackers.
  • ·The path traversal uses double URL-encoding (%252E%252E%252F) to bypass server-side decoding. Detection rules must decode twice or match on the encoded form directly.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.