CVE-2023-6023
📋 TL;DR
This Local File Inclusion (LFI) vulnerability in ModelDB allows attackers to read arbitrary files on the server filesystem by manipulating the artifact_path URL parameter. This affects all ModelDB instances with the vulnerable code path. Attackers can potentially access sensitive configuration files, credentials, and other critical system data.
💻 Affected Systems
- ModelDB
📦 What is this software?
Modeldb by Vertaai
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, database credentials, or application configuration files containing secrets, leading to privilege escalation and lateral movement.
Likely Case
Information disclosure of sensitive files including configuration files, logs, and potentially credentials stored on the filesystem, enabling further attacks.
If Mitigated
Limited impact with proper file permissions and web server sandboxing, but still potential for information disclosure within web application context.
🎯 Exploit Status
Simple URL parameter manipulation required. No authentication needed. Public exploit details available in the huntr.com references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check ModelDB repository for latest security patches
Vendor Advisory: https://huntr.com/bounties/644ab868-db6d-4685-ab35-1a897632d2ca
Restart Required: Yes
Instructions:
1. Update ModelDB to the latest patched version from the official repository. 2. Apply security patches addressing the artifact_path parameter validation. 3. Restart the ModelDB service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation on the artifact_path parameter to prevent directory traversal sequences
Implement server-side validation to reject paths containing '../', '..\', or absolute paths
Web Application Firewall Rule
allBlock requests containing directory traversal patterns in URL parameters
Add WAF rule to block requests with '../', '..\', or file:// in artifact_path parameter
🧯 If You Can't Patch
- Implement strict file permission controls to limit web server user access to sensitive directories
- Deploy web application firewall with LFI protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Test by accessing the vulnerable endpoint with artifact_path parameter containing directory traversal sequences like '../../etc/passwd'Check Version:
Check ModelDB version through web interface or application logsVerify Fix Applied:
Attempt the same LFI attack after patching - it should return an error or sanitized output instead of file contents📡 Detection & Monitoring
Log Indicators:
- HTTP requests with artifact_path parameter containing '../', '..\', or absolute file paths
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests with suspicious path traversal sequences in URL parameters
SIEM Query:
web.url:*/artifact_path=* AND (web.url:*../* OR web.url:*..\*)