MLflow Path Traversal Vulnerability in Tarfile Extraction

A path traversal vulnerability has been identified in the MLflow project, specifically within the 'extract_archive_to_dir' function of the 'mlflow/pyfunc/dbconnect_artifact_cache.py' file. This vulnerability affects versions prior to 3.7.0 and stems from inadequate validation of tar member paths during extraction. An attacker controlling the tar.gz file can exploit this flaw to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Impact

Exploitation allows for path traversal, overwriting of files, and potentially escaping sandbox restrictions in shared environments.

Reproduction

The vulnerability can be reproduced by creating a tar.gz file that includes paths designed to traverse directories, such as relative paths that go up the directory structure. This crafted tar file can then be extracted using the vulnerable 'extract_archive_to_dir' function, which lacks proper path validation. Additionally, tar files containing symlinks that point outside the extraction directory can also exploit this vulnerability.

Remediation

Users should update to MLflow version 3.7.0 or later, where this vulnerability has been fixed.