MLflow Missing Authorization Vulnerability in MPU Endpoints Allows Cross-User Artifact Overwrite and Code Execution

A vulnerability exists in MLflow versions through 3.10.1.dev0, allowing unauthorized access to multipart upload (MPU) endpoints when the 'serve-artifacts' mode is active. The issue arises because the authorization logic fails to apply resource-level permission checks to the '/mlflow-artifacts/mpu/*' endpoints. This oversight enables attackers to overwrite artifacts belonging to other users, leading to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded.

Impact

Exploitation of this vulnerability allows for unauthorized overwriting of artifacts belonging to other users, with potential consequences including model supply chain poisoning and arbitrary code execution when affected models are loaded. In shared remote Tracking Server environments, this could result in cross-user command execution and facilitate lateral movement across hosts.

Reproduction

To reproduce this vulnerability, first set up a local S3 simulation environment using Moto and create a test bucket. Then, configure MLflow to use basic authentication and set the default permission to 'NO_PERMISSIONS'. Start the MLflow server with the 'serve-artifacts' option enabled. After logging in as an admin user, create a victim and an attacker user, and have the victim log a model. The attacker can then overwrite the victim's model artifact by exploiting the missing authorization validation on the MPU endpoints.

Remediation

Users are advised to update to MLflow version 3.10.0 or later, where this vulnerability has been fixed.