MLflow Path Traversal Vulnerability Allowing Arbitrary File Writes

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. The issue arises because `tarfile.extractall` is used without path validation, enabling crafted tar.gz files to escape the intended extraction directory. This vulnerability affects the latest version of MLflow and poses a high to critical risk, particularly in multi-tenant environments or when ingesting untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writes under the MLflow process user. This could overwrite sensitive files such as `~/.ssh/authorized_keys`, shell configuration files, or system configuration files, potentially leading to remote code execution. The vulnerability is considered high to critical in shared clusters, Databricks workspaces, or services that ingest user-provided tar archives.

Reproduction

The vulnerability can be reproduced by creating a malicious tar.gz file that includes `..` or absolute paths. This file can then be extracted using the `extract_archive_to_dir` function from the `mlflow.pyfunc.dbconnect_artifact_cache` module, which will unpack the archive without proper path validation, allowing the crafted entries to escape the extraction directory and write files controlled by the attacker.

Remediation

It is recommended to validate each `TarInfo` member before extraction by rejecting absolute paths and any paths that escape the intended extraction directory. Alternatively, paths can be sanitized before writing or an error can be raised on suspicious entries. Adding a regression test to ensure that such malicious entries are blocked during extraction would also be beneficial.