cbcvebase.
CVE-2023-6977
published 2023-12-20

CVE-2023-6977: This vulnerability enables malicious users to read sensitive files on the server.

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.92%
89.0th percentile
This vulnerability enables malicious users to read sensitive files on the server.

Affected

3 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow>= 0 < 2.9.22.9.2
lfprojectsmlflow>= 1.0.0 < 2.9.22.9.2
mlflowmlflow_mlflow>= unspecified < 2.9.22.9.2

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /ajax-api/2.0/mlflow/registered-models/create
urlPOST /ajax-api/2.0/mlflow/model-versions/create
urlGET /model-versions/get-artifact?name={{randstr}}&path=etc%2Fpasswd&version=1
path//proc/self/root
pathetc%2Fpasswd
  • Exploitation involves a 3-step HTTP sequence: (1) create a registered model via POST to /ajax-api/2.0/mlflow/registered-models/create, (2) create a model version with source set to '//proc/self/root' via POST to /ajax-api/2.0/mlflow/model-versions/create, (3) retrieve the artifact via GET to /model-versions/get-artifact with path=etc%2Fpasswd to read /etc/passwd.
  • Successful exploitation is confirmed by the presence of 'root:.*:0:0:' in the response body AND response headers containing both 'filename=passwd' and 'application/octet-stream', with HTTP status 200.
  • Exposed MLflow instances can be discovered via Shodan (http.title:"mlflow"), FOFA (title="mlflow" or app="mlflow"), or Google (intitle:"mlflow") to identify potential targets.
  • The path traversal payload uses double-slash prefix '//proc/self/root' as the model version source to anchor traversal to the filesystem root, bypassing path sanitization.
  • ·The vulnerability affects MLflow versions before 2.8.0 only. The fix is available in version 2.9.2 or later.
  • ·No authentication is required to exploit this vulnerability (PR:N, UI:N per CVSS vector), meaning any unauthenticated network attacker can trigger the LFI.
  • ·This template is marked 'intrusive' — running the detection probe creates actual registered models and model versions in the target MLflow instance as a side effect.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.