CVE-2023-6909
📋 TL;DR
This path traversal vulnerability in MLflow allows attackers to access arbitrary files on the server by using '\..\filename' sequences in requests. It affects MLflow deployments prior to version 2.9.2 where the vulnerable endpoint is exposed. Users running vulnerable MLflow versions with network-accessible endpoints are at risk.
💻 Affected Systems
- MLflow
📦 What is this software?
Mlflow by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive MLflow artifacts, model files, or configuration data stored on the server filesystem.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to vulnerable endpoints.
🎯 Exploit Status
Exploit requires network access to MLflow endpoints; path traversal payloads are well-documented and easy to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.2
Vendor Advisory: https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1
Restart Required: Yes
Instructions:
1. Backup your MLflow data and configuration. 2. Upgrade MLflow using pip: 'pip install mlflow==2.9.2'. 3. Restart all MLflow services. 4. Verify the fix by checking version: 'mlflow --version'.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to MLflow endpoints using firewall rules or network segmentation
iptables -A INPUT -p tcp --dport 5000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Reverse Proxy Input Validation
allConfigure reverse proxy (nginx/apache) to block requests containing path traversal sequences
location / { if ($request_uri ~* "\\.\\.") { return 403; } }
🧯 If You Can't Patch
- Implement strict network access controls to limit MLflow endpoint exposure to trusted networks only
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check MLflow version: 'mlflow --version' or examine pip packages: 'pip show mlflow'. If version is below 2.9.2, system is vulnerable.Check Version:
mlflow --versionVerify Fix Applied:
After upgrade, confirm version is 2.9.2 or higher and test with controlled path traversal attempts that should be rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '\..\' sequences in URL paths
- Access to unexpected file paths in MLflow logs
- Failed file access attempts outside expected artifact directories
Network Indicators:
- Unusual file path patterns in HTTP requests to MLflow endpoints
- Requests for known sensitive files (e.g., /etc/passwd, .ssh/id_rsa)
SIEM Query:
source="mlflow.logs" AND ("\..\" OR "%5c..%5c" OR "..\\")