CVE-2023-1177: RFI Vulnerability in Machine Learning Lifecycle Platform, MLflow

Machine learning development has been revolutionized with the advent of MLflow, a platform that streamlines the entire process, from tracking experiments to sharing and deploying models. Its compatibility with popular machine learning libraries and applications, such as TensorFlow, PyTorch, and XGBoost, makes it a widely adopted tool. Recently, two security vulnerabilities were discovered in MLflow. The first vulnerability, CVE-2023-1176, allows an attacker to check the existence of arbitrary files on the host server, including files stored in remote locations. The second vulnerability, CVE-2023-1177, allows an attacker to access arbitrary files on the host server.

Photo by Alex Knight on Unsplash

1. CVE-2023-1176: A Sneaky Remote File Existence Check

CVE-2023-1176 is a security vulnerability with a CVSS score of 5.3, affecting MLflow Open Source Project users running the MLflow Model Registry with mlflow server or mlflow ui commands on versions older than MLflow 2.2.1. This vulnerability allows an attacker to check the existence of arbitrary files on the host server, even those unrelated to MLflow, as long as the server has access to them.

While the Databricks Managed MLflow product and MLflow on Azure Machine Learning remain unaffected, users of mlflow server and mlflow ui commands should take immediate action.

Patch: Upgrade to MLflow 2.2.1, released on March 2nd, 2023, to eliminate this vulnerability.

Workarounds: Limit access to your MLflow Model Registry and Tracking servers by implementing a cloud VPC, IP allowlist for inbound requests, or authentication/authorization middleware. Additionally, restrict the scope of your server’s cloud credentials to access only MLflow-related files and directories.

2. CVE-2023-1177: The Dangerous Remote File Access Vulnerability

CVE-2023-1177 is a more severe security vulnerability with a CVSS score of 10. Similar to CVE-2023-1176, it affects users running the MLflow Model Registry with mlflow server or mlflow ui commands on versions older than MLflow 2.2.1. This vulnerability enables an attacker to download arbitrary files from the host server, potentially granting them access to sensitive data.

Again, Databricks Managed MLflow and MLflow on Azure Machine Learning users are unaffected by this vulnerability.

Patch: Upgrade to MLflow 2.2.1 to protect your projects from this vulnerability.

Workarounds: Implement the same access restrictions as mentioned for CVE-2023-1176, which include a cloud VPC, IP allowlist for inbound requests, or authentication/authorization middleware. Furthermore, limit the remote files accessible by your MLflow Model Registry and Tracking servers.