AI PRP: Arbitrary File Read in mlflow CVE-2023-6977 about tsunami-security-scanner-plugins HOT 7 OPEN

Hi @frkngksl,

We already have a plugin that detects CVE-2023-1177 which seems to be the previous version of that vulnerability. Could you:

1. Confirm that our understanding is correct (CVE-2023-6977 is a bypass of the mitigation implemented for CVE-2023-1177);
2. Perform the modification directly to the existing plugin as it looks like this version encompass the previous one as well.
3. Change the README accordingly to mention that this covers both vulnerabilities

Let me know if you are interested. This would qualify for a slightly lower bounty though.

Cheers,
~tooryx

from tsunami-security-scanner-plugins.

Hi @tooryx,

I could implement and compine it with the existing plugin, but I applied for #429 . Since you said that this PRP is lower bounty, could I take these two together?

from tsunami-security-scanner-plugins.

Hi @frkngksl,

I did not really track the status of #429, so I do not know who it will be assigned to.
But you can start working on this one, given its size, it should be fairly quick.

Cheers,
~tooryx

from tsunami-security-scanner-plugins.

Okay then, I will start with this one. Will you send me a submission link to track the progress?

from tsunami-security-scanner-plugins.

Please submit our participation form and you can start working on the development.

Thanks!
~tooryx

from tsunami-security-scanner-plugins.

Hi @tooryx , Do you want me to also add CVE-2023-2780 ? As far as I understand from the first glance, it is another bypass for CVE-2023-1177. It can be thought as the same category with the CVE-2023-6977. Maybe it might help to increase the bounty amount too?

Ref: https://huntr.com/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689

from tsunami-security-scanner-plugins.

Hi @tooryx, I have one more question. In terms of modifying the plugin, do you expect that this plugin will create three (if you accept the above one) different detection reports that state CVEs seperately? Or should I just add these three different types of LFI methods and return the current report (CVE-2023-1177, current version of the code) for all of them (not mentioning their CVEs specifically)? I'm a bit confused because all mentioned CVEs have three HTTP requests, and only the first ones are the same.

Also, it should be noted that one version of Mlflow can be vulnerable to three assigned vulnerabilities at the same time. Tested and observed with version 2.1.0.

Therefore, I'm not sure how to edit the following code block for multiple CVEs according to your standarts

@Override
  public DetectionReportList detect(
      TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) {
    logger.atInfo().log("CVE-2023-1177 starts detecting.");

    return DetectionReportList.newBuilder()
        .addAllDetectionReports(
            matchedServices.stream()
                .filter(NetworkServiceUtils::isWebService)
                .filter(this::isServiceVulnerable)
                .map(networkService -> buildDetectionReport(targetInfo, networkService))
                .collect(toImmutableList()))
        .build();
  }

from tsunami-security-scanner-plugins.