MLflow DNS Rebinding Vulnerability in REST Server

A vulnerability allowing DNS rebinding attacks has been identified in the MLflow REST server, present in versions through 3.4.0. The issue arises from inadequate validation of the Origin header, which enables malicious websites to circumvent Same-Origin Policy restrictions and make unauthorized requests to REST endpoints. This vulnerability could be exploited to query, modify, or delete experiments via the affected endpoints, potentially leading to unauthorized data access, loss, or alteration. The vulnerability has been addressed in MLflow version 3.5.0.

Impact

Exploitation of this vulnerability allows for DNS rebinding attacks, where an attacker can manipulate the victim's browser to send requests to internal services, bypassing same-origin restrictions. This could be used to exploit other vulnerabilities or access sensitive information.

Reproduction

To reproduce this vulnerability, deploy an MLflow server version prior to 3.5.0. Without the security features introduced in 3.5.0, the server will accept requests from any origin. An attacker can then send a request to the server with a malicious Host header, which will be accepted due to the lack of validation. This can be automated with a script or tool that sends HTTP requests, such as curl or a Python script using the requests library.

Remediation

Users can upgrade to MLflow version 3.5.0 or later, where this vulnerability has been fixed. For those using Docker, the `MLFLOW_SERVER_DISABLE_SECURITY_MIDDLEWARE` environment variable should be set to 'true' to disable security features for testing purposes, but this is not recommended for production.