BF Specification of CVE-2023-3765 File Injection (absolute path traversal) in GitHub MLflow before v2.5.0
-0.png)
Erroneous validation (does not check for absolute path format with '/', e.g. C:/ or C:/temp/poc.txt) in validate_path_is_safe() leads to file injection -- absolute path traversal. If exploited, this can lead to information exposure, data tempering, or denial of service -- confidentiality, integrity, and availability loss, correspondingly.
//generated// Erroneous Code (in ‘validate_path_is_safe(path)’) to Format Validate absolute path with ‘/’ (to disallow absolute paths, e.g., C:/ or C:/temp/poc.txt) Entered (via API for artifact actions (7 endpoints)) in Codebase (/mlflow/server/handlers.py:#L532-#L533) Local leads to File Injection ((absolute path traversal))
. If exploited this can lead to IEX (confidentiality loss) or DOS (availability loss) or TPR (integrity loss).
|
| Class | Definition |
| DVL | Data Validation (DVL) class – Data are validated (i.e., syntax check) or sanitized (i.e., escape, filter, or repair) improperly. |
| Operation | Definition |
| Validate | Validate operation – Check data syntax (e.g., proper form or grammar, missing symbols or elements) in order to accept or sanitize it. |
| Cause/Consequence | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability. |
| Erroneous Code | Erroneous Code bug - There is a coding error in the implementation of the operation. |
| Injection Final Error | Injection final error type – An exploitable or undefined system behavior caused by validation or sanitization bugs. |
| File Injection | File Injection final error – Maliciously inserted data (e.g., with .. and / or with file entries) into an input used to access/modify files or as a file content. |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed. |
| Format | Format operation attribute – The operation is via a policy based on syntax format (e.g., defined via regular expression). |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Operand Attribute | Definition |
| Data State | Data State operand attribute type – Shows where the data comes from. |
| Entered | Entered operand attribute – Data are from a user via a user interface (e.g., input field of a dialog or a command prompt). |