BF Specification of CVE-2023-3765 File Injection (absolute path traversal) in GitHub MLflow before v2.5.0

Erroneous validation (does not check for absolute path format with '/', e.g. C:/ or C:/temp/poc.txt) in validate_path_is_safe() leads to file injection -- absolute path traversal. If exploited, this can lead to information exposure, data tempering, or denial of service -- confidentiality, integrity, and availability loss, correspondingly.

//generated// Erroneous Code (in ‘validate_path_is_safe(path)’) to Format Validate absolute path with ‘/’ (to disallow absolute paths, e.g., C:/ or C:/temp/poc.txt) Entered (via API for artifact actions (7 endpoints)) in Codebase (/mlflow/server/ Local leads to File Injection ((absolute path traversal))

. If exploited this can lead to IEX (confidentiality loss) or DOS (availability loss) or TPR (integrity loss).

vendor:product: lfprojects:mlflow

Bug Report

Code with Bug

Code with Fix

NVD Entry

DVLData Validation (DVL) class – Data are validated (syntax check) or sanitized (escape, filter, repair) improperly.
ValidateValidate operation – Check data syntax (proper form/grammar, incl. check for missing symbols/elements) in order to accept (and possibly sanitize) or reject it.
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Injection Final ErrorInjection exploitable error type – An exploitable or undefined system behavior caused by 'code separation' data validation bugs.
   File InjectionFile Injection exploitable error – Maliciously inserted data (e.g., with .. and / or with file entries) into an input used to access/modify files or as a file content.
Operation AttributeDefinition
MechanismMechanism operation attribute type – Shows how the buggy/faulty operation code is performed.
   FormatFormat operation attribute – The operation is via a policy based on syntax format (e.g., defined via regular expression).
Source CodeSource Code operation attribute type – Shows where the buggy/faulty operation code is in software or firmware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
Execution SpaceExecution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level.
   LocalLocal operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission.
Operand AttributeDefinition
Data StateData State operand attribute type operand attribute – Shows where the data come from.
   EnteredEntered operand attribute – Data are from a user via a user interface (e.g., input field of a dialog or a command prompt).