BentoML Path Traversal Vulnerability in Bentofile Configuration Allows Arbitrary File Read

A path traversal vulnerability has been identified in BentoML versions prior to 1.4.34. The issue arises in the 'bentofile.yaml' configuration, where multiple file path fields can be exploited to traverse directories and access arbitrary files. When a malicious bentofile is built, it can exfiltrate sensitive files from the filesystem into the bento archive. This vulnerability enables supply chain attacks by embedding confidential information, such as SSH keys and credentials, into bentos, which are then exposed when the bento is pushed to a registry or deployed.

Impact

Exploitation of this vulnerability allows for unauthorized access to arbitrary files, including sensitive information such as SSH keys, credentials, and environment variables. This embedded data is exposed when the bento is uploaded to a registry or deployed, potentially leading to further security breaches.

Reproduction

To reproduce this vulnerability, create a 'bentofile.yaml' file with a path traversal payload in one of the vulnerable fields: 'description', 'docker.setup_script', 'docker.dockerfile_template', or 'conda.environment_yml'. When the bento is built, the specified file will be exfiltrated into the bento archive. This can be verified by checking the contents of the README.md file or the appropriate Docker-related files in the built bento.

Remediation

Users can update to BentoML version 1.4.34 or later, where this vulnerability has been patched.