Compliance Impact

This vulnerability allows unauthorized access and modification of artifacts belonging to other users, which can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution. Such unauthorized access and data manipulation can potentially violate data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and data integrity safeguards.

Specifically, the lack of resource-level permission checks could result in unauthorized disclosure or alteration of sensitive data or models, undermining confidentiality, integrity, and availability principles critical to compliance frameworks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing access to the multipart upload (MPU) endpoints under the path /mlflow-artifacts/mpu/*. Specifically, you should check if unauthorized POST requests to these endpoints are allowed without proper authorization.

One way to detect this on your system is to attempt sending POST requests to the MPU endpoints and observe if the server enforces authorization checks.

• Use curl to send a POST request to an MPU endpoint and check the response status code and message:
• curl -X POST http://<mlflow-server>/mlflow-artifacts/mpu/<some-path> -v

If the server responds without proper authorization errors (e.g., 200 OK instead of 401 Unauthorized or 403 Forbidden), it indicates the vulnerability may be present.

• Check server logs for unauthorized access attempts or unusual artifact overwrites related to MPU endpoints.

Additionally, reviewing the MLflow server version can help determine if the vulnerability is present, as versions <= 3.10.1.dev0 are affected.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in MLflow versions up to 3.10.1.dev0 when the --serve-artifacts mode is enabled. It allows unauthorized access to multipart upload (MPU) endpoints because the authorization logic does not properly enforce resource-level permission checks for the /mlflow-artifacts/mpu/* endpoints.

As a result, attackers can overwrite artifacts that belong to other users.

This can lead to unauthorized cross-user writes, model supply chain poisoning, and even arbitrary code execution when compromised models are loaded.

The issue is fixed in version 3.10.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized overwriting of artifacts belonging to other users.

It can enable attackers to perform model supply chain poisoning, which means malicious models could be introduced into your system.

Additionally, it can lead to arbitrary code execution when compromised models are loaded, potentially allowing attackers to execute malicious code on your system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade MLflow to version 3.10.0 or later, where the issue is resolved.

Additionally, if you are using the `--serve-artifacts` mode, consider disabling it until the upgrade is applied to prevent unauthorized access to multipart upload endpoints.

Useful 0 Not Useful 0