cnvd - cnvd-2024-24971

cnvd-2024-24971

Vulnerability from cnvd

Title: ModelDB路径遍历漏洞

Description:

ModelDB是VertaAI开源的一个用于机器学习模型版本控制、元数据和实验管理的开源系统。

ModelDB存在路径遍历漏洞，该漏洞源于在文件上传功能中对用户提供的文件路径的清理不当。攻击者可利用该漏洞通过操纵“artifact_path”参数在文件系统中的任何位置写入任意文件。

Severity: 高

Formal description:

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://nvd.nist.gov/vuln/detail/CVE-2024-1961

Reference: https://cxsecurity.com/cveshow/CVE-2024-1961/

Impacted products

Name
VertaAI ModelDB

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1961",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-1961"
    }
  },
  "description": "ModelDB\u662fVertaAI\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u6a21\u578b\u7248\u672c\u63a7\u5236\u3001\u5143\u6570\u636e\u548c\u5b9e\u9a8c\u7ba1\u7406\u7684\u5f00\u6e90\u7cfb\u7edf\u3002\n\nModelDB\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u4e2d\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6587\u4ef6\u8def\u5f84\u7684\u6e05\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u64cd\u7eb5\u201cartifact_path\u201d\u53c2\u6570\u5728\u6587\u4ef6\u7cfb\u7edf\u4e2d\u7684\u4efb\u4f55\u4f4d\u7f6e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1961",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-24971",
  "openTime": "2024-05-29",
  "products": {
    "product": "VertaAI ModelDB"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-1961/",
  "serverity": "\u9ad8",
  "submitTime": "2024-04-17",
  "title": "ModelDB\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2024-1961 (GCVE-0-2024-1961)

Vulnerability from cvelistv5

Published

2024-04-16 00:00

Modified

2024-08-29 19:26

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write arbitrary files anywhere in the file system by manipulating the 'artifact_path' parameter. This flaw can lead to Remote Code Execution (RCE) by overwriting critical files, such as the application's configuration file, especially when the application is run outside of Docker. The vulnerability is present in the NFSController.java and NFSService.java components of the application.

References

▼	URL	Tags
	https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3

Impacted products

	Vendor	Product	Version
	vertaai	vertaai/modeldb	Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:56:22.583Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vertaai:modeldb:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "modeldb",
            "vendor": "vertaai",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T15:12:46.683855Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T19:26:57.248Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vertaai/modeldb",
          "vendor": "vertaai",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write arbitrary files anywhere in the file system by manipulating the \u0027artifact_path\u0027 parameter. This flaw can lead to Remote Code Execution (RCE) by overwriting critical files, such as the application\u0027s configuration file, especially when the application is run outside of Docker. The vulnerability is present in the NFSController.java and NFSService.java components of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-16T11:10:54.747Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3"
        }
      ],
      "source": {
        "advisory": "5f602914-3e5d-407a-b8ce-fb444a4e8bb3",
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal leading to Arbitrary File Write and RCE in vertaai/modeldb"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-1961",
    "datePublished": "2024-04-16T00:00:15.706Z",
    "dateReserved": "2024-02-27T21:30:47.630Z",
    "dateUpdated": "2024-08-29T19:26:57.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted