MLflow Unauthenticated Arbitrary File Read Vulnerability via Prompt Tag Validation Bypass

A vulnerability exists in the '_create_model_version()' handler of MLflow's server file 'handlers.py', affecting versions through 3.9.0. The issue allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. This vulnerability arises when a 'CreateModelVersion' request includes the tag 'mlflow.prompt.is_prompt', which bypasses essential source path validation. Consequently, an attacker can manipulate the model version source to point to any local filesystem path. The 'get_model_version_artifact_handler()' function later serves files from this source without verifying the model version's prompt status, leading to a complete compromise of confidentiality on the server.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files from the MLflow server's filesystem. This could include sensitive files such as '/etc/passwd', '/etc/shadow' (if the server is running as root), SSH private keys, AWS credentials, and environment variables containing secrets. Such access represents a total breach of confidentiality on the server.

Reproduction

To reproduce this vulnerability, send a 'CreateModelVersion' request with the 'mlflow.prompt.is_prompt' tag set to 'true'. This will bypass the source validation process. Once the model version is created, the 'get_model_version_artifact_handler()' can be used to retrieve files from the specified source path, effectively reading arbitrary files from the server.

Remediation

Users are advised to update to MLflow version 3.10.0 or later, where this vulnerability has been fixed.