cnvd - cnvd-2024-24971

CNVD-2024-24971

Vulnerability from cnvd - Published: 2024-05-29

Title

ModelDB路径遍历漏洞

Description

ModelDB是VertaAI开源的一个用于机器学习模型版本控制、元数据和实验管理的开源系统。 ModelDB存在路径遍历漏洞，该漏洞源于在文件上传功能中对用户提供的文件路径的清理不当。攻击者可利用该漏洞通过操纵“artifact_path”参数在文件系统中的任何位置写入任意文件。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://nvd.nist.gov/vuln/detail/CVE-2024-1961

Reference

https://cxsecurity.com/cveshow/CVE-2024-1961/

Impacted products

Name
VertaAI ModelDB

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1961",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-1961"
    }
  },
  "description": "ModelDB\u662fVertaAI\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u6a21\u578b\u7248\u672c\u63a7\u5236\u3001\u5143\u6570\u636e\u548c\u5b9e\u9a8c\u7ba1\u7406\u7684\u5f00\u6e90\u7cfb\u7edf\u3002\n\nModelDB\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u4e2d\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6587\u4ef6\u8def\u5f84\u7684\u6e05\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u64cd\u7eb5\u201cartifact_path\u201d\u53c2\u6570\u5728\u6587\u4ef6\u7cfb\u7edf\u4e2d\u7684\u4efb\u4f55\u4f4d\u7f6e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1961",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-24971",
  "openTime": "2024-05-29",
  "products": {
    "product": "VertaAI ModelDB"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-1961/",
  "serverity": "\u9ad8",
  "submitTime": "2024-04-17",
  "title": "ModelDB\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2024-1961 (GCVE-0-2024-1961)

Vulnerability from cvelistv5 – Published: 2024-04-16 00:00 – Updated: 2024-08-29 19:26

Summary

vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write arbitrary files anywhere in the file system by manipulating the 'artifact_path' parameter. This flaw can lead to Remote Code Execution (RCE) by overwriting critical files, such as the application's configuration file, especially when the application is run outside of Docker. The vulnerability is present in the NFSController.java and NFSService.java components of the application.

Severity ?

8.8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

@huntr_ai

References

URL

Tags

https://huntr.com/bounties/5f602914-3e5d-407a-b8c…

Impacted products

	Vendor	Product	Version
	vertaai	vertaai/modeldb	Affected: unspecified , ≤ latest (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:56:22.583Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vertaai:modeldb:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "modeldb",
            "vendor": "vertaai",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T15:12:46.683855Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T19:26:57.248Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vertaai/modeldb",
          "vendor": "vertaai",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write arbitrary files anywhere in the file system by manipulating the \u0027artifact_path\u0027 parameter. This flaw can lead to Remote Code Execution (RCE) by overwriting critical files, such as the application\u0027s configuration file, especially when the application is run outside of Docker. The vulnerability is present in the NFSController.java and NFSService.java components of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-16T11:10:54.747Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3"
        }
      ],
      "source": {
        "advisory": "5f602914-3e5d-407a-b8ce-fb444a4e8bb3",
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal leading to Arbitrary File Write and RCE in vertaai/modeldb"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-1961",
    "datePublished": "2024-04-16T00:00:15.706Z",
    "dateReserved": "2024-02-27T21:30:47.630Z",
    "dateUpdated": "2024-08-29T19:26:57.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-24971

CVE-2024-1961 (GCVE-0-2024-1961)

Tags

Sightings

Nomenclature