CVE-2024-3573 in mlflow
Summary
by MITRE • 04/16/2024
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/04/2025
The vulnerability identified as CVE-2024-3573 represents a critical local file inclusion flaw within the mlflow/mlflow framework that stems from inadequate URI parsing mechanisms. This security weakness specifically targets the 'is_local_uri' function which fails to properly validate and classify uniform resource identifiers, creating a pathway for malicious actors to circumvent intended security controls. The flaw manifests when the system processes URIs containing empty or 'file' schemes, causing the application to incorrectly categorize these references as non-local resources despite their actual filesystem access capabilities. This misclassification enables attackers to manipulate the application's behavior and gain unauthorized access to system resources that should remain protected.
The technical exploitation of this vulnerability occurs through the manipulation of model version parameters, particularly the 'source' field within model configurations. Attackers can craft malicious model versions that contain specially constructed URIs designed to bypass the local URI validation checks implemented by the mlflow system. When the application processes these crafted references, the flawed parsing logic fails to recognize the true nature of the URI, allowing the system to attempt file operations on locations that should be restricted. The vulnerability specifically permits reading files from at least two directory levels above the server's root directory, potentially exposing sensitive system information, configuration files, and other confidential data stored within the application's filesystem hierarchy.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides attackers with the ability to potentially escalate their privileges and extract critical system information. The flaw can be exploited to read configuration files that may contain database credentials, API keys, or other sensitive authentication material. Additionally, the vulnerability could enable attackers to access log files that might contain user data or system audit trails, potentially leading to further compromise of the affected environment. The ease of exploitation through standard model version parameters makes this vulnerability particularly dangerous as it requires minimal specialized knowledge to implement and can be triggered through normal application usage patterns.
Security professionals should implement immediate mitigations including input validation for all URI parameters within model version configurations and enhanced URI parsing logic that properly handles empty and 'file' schemes. The fix should involve strengthening the 'is_local_uri' function to explicitly validate URI formats and ensure that all file references are properly classified regardless of scheme presence. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of successful exploitation. This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and maps to ATT&CK technique T1059.001 for command and scripting interpreter, as attackers may leverage this capability to execute additional malicious actions based on the information obtained from compromised files. Regular security audits and input sanitization practices should be enforced to prevent similar vulnerabilities from emerging in other components of the mlflow ecosystem.