mlflow anfällig für Path Traversal

The primary impact of CVE-2024-1560 is the ability for an attacker to delete arbitrary files on the MLflow server. This can range from deleting critical configuration files, disrupting MLflow's operation, to deleting sensitive data stored within the artifact repository. Successful exploitation requires an attacker to interact with the artifact deletion endpoint, potentially through a crafted MLflow API request or a malicious experiment. The blast radius extends to any data stored within the MLflow artifact store, and could lead to denial of service if critical system files are deleted. While the vulnerability requires interaction with the artifact deletion functionality, the potential for widespread data loss makes it a significant concern.

Organizations heavily reliant on MLflow for model tracking, deployment, and management are at significant risk. Specifically, environments with shared MLflow instances or those lacking robust access controls are particularly vulnerable. Users who have write access to the MLflow artifact store are potential threat actors.

• python / server:

import os
import subprocess

def check_mlflow_vulnerability():
    try:
        result = subprocess.run(['mlflow', 'artifacts', 'list'], capture_output=True, text=True, check=True)
        if '2.9.2' in result.stdout:
            print("MLflow version is vulnerable.")
        else:
            print("MLflow version is likely patched.")
    except FileNotFoundError:
        print("MLflow not found.")
check_mlflow_vulnerability()

• linux / server:

journalctl -u mlflow -g 'artifact deletion' | grep -i error

• generic web: Use curl to test artifact deletion endpoints with path traversal payloads (e.g., curl 'http://mlflow-server/artifacts/../sensitive_file') and observe the response.

1. 2024-04-16Disclosure

   disclosure

1. Reserviert2024-02-15
2. Veröffentlicht2024-04-16
3. Geändert2025-02-04
4. EPSS aktualisiert2026-04-02

The primary mitigation for CVE-2024-1560 is to upgrade MLflow to a version that includes the fix. The vendor has not released a specific fixed version, so monitor the MLflow GitHub repository for updates. As a temporary workaround, restrict access to the artifact deletion endpoint to trusted users and systems. Implement strict input validation on any user-supplied paths used in artifact operations. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests targeting the artifact deletion endpoint. After upgrading, confirm the fix by attempting to delete a test artifact with a path containing traversal sequences (e.g., ../../../../etc/passwd) and verifying that the deletion fails with an appropriate error.