BentoML Symlink Traversal Vulnerability in Build Packaging Workflow Allowing Information Disclosure

A vulnerability in BentoML's build packaging workflow prior to version 1.4.39 allows for information disclosure through symlink traversal. The issue arises because the workflow follows attacker-controlled symlinks in the build context and copies the linked file contents into the final Bento artifact. This vulnerability can be exploited by building an untrusted repository or using an attacker-supplied build context, where an attacker can place a symlink to a sensitive local file. When the 'bentoml build' command is executed, BentoML dereferences the symlink and includes the contents of the target file in the Bento artifact. The leaked file can then be exported, pushed, or containerized, potentially spreading sensitive information such as cloud credentials, SSH keys, API tokens, or other local configurations beyond the original build machine.

Impact

Exploitation of this vulnerability allows for the unauthorized exfiltration of local files from the build host into the Bento artifact, which can then be exported, uploaded, stored, or converted into a container image, amplifying the impact of the leaked information.

Reproduction

The vulnerability can be reproduced by creating a symlink in the build context that points to a file outside of it, such as a marker file in the '/tmp' directory. After including the symlinked file in the 'bentofile.yaml' and running 'bentoml build', the contents of the external file will be packaged into the Bento artifact. This can be verified by exporting the Bento service and checking the exported files for the presence of the leaked data.

Remediation

Users can update to BentoML version 1.4.39 or later, where this vulnerability has been fixed.