Miggo Logo
Miggo Vulnerability Database
CVE-2023-6909

CVE-2023-6909: MLflow Path Traversal Vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-6909
GHSA ID
GHSA-5r3q-93q3-f978
EPSS Score
0.99344%
CWE
CWE-29
Published
12/20/2023
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mlflowpip< 2.9.22.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stems from the validate_path_is_safe function not decoding URL-encoded characters before validating path safety. The GitHub patch shows the addition of 'urllib.parse.unquote(path)' to decode the path first, and test cases were added to check encoded traversal patterns. The CWE-29 classification and commit message ('Prevent path traversal with encoded URL') directly implicate this function as the vulnerable component that allowed bypassing of path validation through encoding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*t* Tr*v*rs*l: '\..\*il*n*m*' in *it*u* r*pository ml*low/ml*low prior to *.*.*.

Reasoning

T** k*y vuln*r**ility st*ms *rom t** v*li**t*_p*t*_is_s*** *un*tion not ***o*in* URL-*n*o*** ***r**t*rs ***or* v*li**tin* p*t* s***ty. T** *it*u* p*t** s*ows t** ***ition o* 'urlli*.p*rs*.unquot*(p*t*)' to ***o** t** p*t* *irst, *n* t*st **s*s w*r* *