Impact Analysis

This vulnerability can lead to a complete confidentiality compromise of the server's filesystem.

An unauthenticated attacker can remotely read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or private data.

Because no authentication or user interaction is required, the risk of exploitation is high.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the _create_model_version() handler of mlflow's server code in versions 3.9.0 and earlier. It allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem.

The issue occurs when a CreateModelVersion request includes a special tag (mlflow.prompt.is_prompt) that bypasses source path validation. This lets the attacker specify any local filesystem path as the model version source.

Later, when the server tries to serve files for that model version, it uses the attacker-controlled source path without verifying the prompt status, leading to a complete confidentiality breach.

This vulnerability was fixed in version 3.10.0 by adding stricter validation to block unsafe paths and traversal attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem, leading to a complete confidentiality compromise.

Such unauthorized access to sensitive data can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal and health-related information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to the exposure of confidential data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for CreateModelVersion requests that include the tag 'mlflow.prompt.is_prompt' with suspicious source paths that are absolute file paths or file:// URIs. Such requests indicate attempts to bypass source path validation and read arbitrary files.

You can inspect server logs or network traffic for requests containing the 'mlflow.prompt.is_prompt' tag and check if the source parameter includes absolute paths or file URIs.

Example commands to detect suspicious requests might include:

• Using grep on server logs to find requests with the prompt tag and suspicious sources: grep -i 'mlflow.prompt.is_prompt' /path/to/mlflow/logs | grep -E 'file://|/etc|/usr|\.'
• Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the CreateModelVersion endpoint and inspect payloads for the tag and source paths.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade mlflow to version 3.10.0 or later, where the vulnerability is fixed by stricter validation of the source parameter in model prompts.

If upgrading is not immediately possible, you should restrict access to the CreateModelVersion handler to trusted users only and monitor for suspicious requests containing the 'mlflow.prompt.is_prompt' tag with unsafe source paths.

Additionally, consider implementing network-level controls to block or alert on requests attempting to use absolute file paths or file:// URIs in model version sources.

Useful 0 Not Useful 0