CVE-2024-1558
📋 TL;DR
This path traversal vulnerability in MLflow allows attackers to read arbitrary files on the server by exploiting improper validation of the source parameter in model version creation. It affects MLflow deployments with the vulnerable code, potentially exposing sensitive configuration files, credentials, or other server data. The vulnerability is exploitable via the /model-versions/get-artifact endpoint.
💻 Affected Systems
- MLflow
📦 What is this software?
Mlflow by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration files containing secrets, potentially leading to lateral movement or data exfiltration.
Likely Case
Unauthorized access to sensitive server files containing API keys, database credentials, or configuration data that could be used for further attacks.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring that detects unusual file access patterns.
🎯 Exploit Status
Exploitation requires access to the model version creation endpoint. The vulnerability is well-documented in the huntr.com bounty report with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check MLflow GitHub repository for specific fixed version
Vendor Advisory: https://github.com/mlflow/mlflow/security/advisories
Restart Required: Yes
Instructions:
1. Update MLflow to the latest patched version. 2. Restart the MLflow tracking server. 3. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional validation for the source parameter to reject paths containing directory traversal sequences
Network Access Restriction
allRestrict access to the MLflow tracking server to trusted networks only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the MLflow server from sensitive systems
- Deploy file integrity monitoring to detect unauthorized file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if your MLflow version contains the vulnerable _create_model_version() function in server/handlers.py without proper source parameter validationCheck Version:
mlflow --versionVerify Fix Applied:
Test the /model-versions/get-artifact endpoint with crafted source parameters to ensure they are properly rejected📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from MLflow processes
- Failed attempts to access files outside expected model directories
- Source parameters containing path traversal sequences (../)
Network Indicators:
- Unusual requests to /model-versions/get-artifact with crafted source parameters
- Multiple failed file access attempts from single IP
SIEM Query:
source="mlflow" AND (url_path="/model-versions/get-artifact" AND (source_param CONTAINS "../" OR source_param CONTAINS "..\\"))