Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Security Vulnerability #7166

Closed
y4ppieflu opened this issue Oct 26, 2022 · 10 comments · Fixed by #7170
Closed

[BUG] Security Vulnerability #7166

y4ppieflu opened this issue Oct 26, 2022 · 10 comments · Fixed by #7170
Labels
has-closing-pr This issue has a closing PR

Comments

@y4ppieflu
Copy link

Vulnerability details
Local file inclusion in the MLFlow server, additional details may be provided upon request.
MLFlow version
Reproduced in 1.26.1 and 1.30.0

@harupy
Copy link
Member

harupy commented Oct 26, 2022

@y4ppieflu Can you provide more details?

@y4ppieflu
Copy link
Author

y4ppieflu commented Oct 26, 2022

@harupy
Sure, the vulnerability allows to read arbitrary files on the server where mlflow is running via the artifact download handler.

@harupy
Copy link
Member

harupy commented Oct 26, 2022

@y4ppieflu Thanks for reporting this vulnerability. I was able to reproduce it.

@y4ppieflu
Copy link
Author

Thanks @harupy
I am hiding the above details for now.

@harupy
Copy link
Member

harupy commented Oct 26, 2022

Thank you!

@github-actions github-actions bot added the has-closing-pr This issue has a closing PR label Oct 26, 2022
@y4ppieflu
Copy link
Author

BTW — shall this follow the process described in the Security Policy and have an associated Github Security Advisory?

@y4ppieflu
Copy link
Author

BTW — shall this follow the process described in the Security Policy and have an associated Github Security Advisory?

@harupy hi, what about my comment above?

@y4ppieflu
Copy link
Author

Hi @harupy
kind reminder :)

@y4ppieflu
Copy link
Author

CVE record for this issue is now published (CVE-2023-30172)

MLflow v2.0.1 fixes the vulnerability.

@noren95
Copy link

noren95 commented May 11, 2023

Does 2.0.1? I see that it was merged into 2.0.0 as well. Can you please confirm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
has-closing-pr This issue has a closing PR
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants