BF Specification of CVE-2023-2356 — Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1
-0.png)
Missing Code (in '_validate_source(source, run_id)') to Validate (path) of Entered data (via API endpoint 'model-versions/create') using Format mechanism (disallowed relative paths for 'run_artifact_dir', e.g., 'mlflow-artifacts://host:port/../../../../' and '/models/artifacts/../../../') in Codebase source code (mlflow/server/handlers.py#L1333) in Local execution space leads to File Injection ((relative path traversal)) final error, which can be exploited toward
Information Exposure (IEX) (confidentiality loss) security failure.
|
| Class | Definition |
| DVL | Data Validation (DVL) class – Data are validated (i.e., syntax check) or sanitized (i.e., escape, filter, or repair) improperly. |
| Operation | Definition |
| Validate | Validate operation – Check data syntax (e.g., proper form/grammar or missing symbols/elements) in order to accept or sanitize it. |
| Cause/Consequence | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug - The operation is misplaced entirely absent. |
| Injection Final Error | Injection final error/exploit vector type – An exploitable or undefined system behavior caused by validation or sanitization bugs. |
| File Injection | File Injection final error – Maliciously inserted data (e.g., with .. and / or with file entries) into an input used to access/modify files or as a file content. |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation with a bug or faulty operand is performed. |
| Format | Format operation attribute – The operation is via a policy based on syntax format (e.g., defined via regular expression). |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Operand Attribute | Definition |
| Data State | Data State operand attribute type – Shows where the data comes from. |
| Entered | Entered operand attribute – Data are from a user via a user interface (e.g., input field, dialog or a command prompt). |
| Failure | Definition |
| IEX | Information Exposure (IEX) – Inadvertent disclosure of information that leads to confidentiality loss. |