MLflow Command Injection Vulnerability in SageMaker Integration

A command injection vulnerability exists in MLflow versions prior to 3.7.0, specifically within the SageMaker integration. The issue arises in the 'mlflow/sagemaker/__init__.py' file, lines 161-167, where user-supplied container image names are directly interpolated into shell commands without proper sanitization. These commands are executed using 'os.system()', allowing attackers to execute arbitrary commands by providing malicious input through the '--container' parameter of the CLI. This vulnerability affects various environments, including development setups, CI/CD pipelines, and cloud deployments.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where MLflow is running. This could lead to local privilege escalation, data exfiltration, installation of backdoors, disruption of services, or even a supply chain attack if MLflow is used in CI/CD pipelines.

Reproduction

To reproduce this vulnerability, use the 'mlflow sagemaker build-and-push-container' command with the '--container' parameter. Include a malicious image name that exploits the command injection flaw, such as 'my-image:1.0||open -a Calculator #'. The '||' operator will be interpreted by the shell as a command separator, allowing the execution of additional commands.

Remediation

Users are advised to update MLflow to version 3.8.0 or later, where this vulnerability has been fixed.