1
1
/*
2
- * Copyright 2021 Google LLC
2
+ * Copyright 2024 Google LLC
3
3
*
4
4
* Licensed under the Apache License, Version 2.0 (the "License");
5
5
* you may not use this file except in compliance with the License.
13
13
* See the License for the specific language governing permissions and
14
14
* limitations under the License.
15
15
*/
16
- package com .google .tsunami .plugins .detectors .cves .cve20231177 ;
16
+ package com .google .tsunami .plugins .detectors .cves .cve20236977 ;
17
17
18
18
import static com .google .common .base .Preconditions .checkNotNull ;
19
19
import static com .google .common .collect .ImmutableList .toImmutableList ;
50
50
import java .time .Instant ;
51
51
import javax .inject .Inject ;
52
52
53
- /** A {@link VulnDetector} that detects the CVE-2023-1177 vulnerability. */
53
+ /** A {@link VulnDetector} that detects the CVE-2023-6977 vulnerability. */
54
54
@ PluginInfo (
55
55
type = PluginType .VULN_DETECTION ,
56
- name = "MLflow LFI/RFI CVE-2023-1177 Detector" ,
57
- version = "0.1 " ,
58
- description = Cve20231177Detector .VULN_DESCRIPTION ,
59
- author = "hh-hunter" ,
60
- bootstrapModule = Cve20231177DetectorBootstrapModule .class )
61
- public final class Cve20231177Detector implements VulnDetector {
56
+ name = "MLflow LFI/RFI CVE-2023-6977 Detector" ,
57
+ version = "0.2 " ,
58
+ description = Cve20236977Detector .VULN_DESCRIPTION ,
59
+ author = "hh-hunter, frkngksl " ,
60
+ bootstrapModule = Cve20236977DetectorBootstrapModule .class )
61
+ public final class Cve20236977Detector implements VulnDetector {
62
62
63
63
@ VisibleForTesting static final String DETECTION_STRING = "root:x:0:0:root" ;
64
64
@ VisibleForTesting static final String CREATE_DETECTION_STRING = "Tsunami-Test" ;
@@ -72,7 +72,9 @@ public final class Cve20231177Detector implements VulnDetector {
72
72
+ " host server, including any files stored in remote locations to which the host server"
73
73
+ " has access.This vulnerability can read arbitrary files. Since MLflow usually"
74
74
+ " configures s3 storage, it means that AWS account information can also be obtained,"
75
- + " and information such as local ssh private keys can also be read, resulting in RCE" ;
75
+ + " and information such as local ssh private keys can also be read, resulting in RCE."
76
+ + " The vulnerability detected here is CVE-2023-6977 which is a bypass for both"
77
+ + " CVE-2023-1177 and CVE-2023-2780. Hence, this plugin encompasses them." ;
76
78
77
79
private static final GoogleLogger logger = GoogleLogger .forEnclosingClass ();
78
80
@@ -88,22 +90,22 @@ public final class Cve20231177Detector implements VulnDetector {
88
90
private static final String CREATE_MODEL_DATA = "{\" name\" :\" REPLACE_FLAG\" }" ;
89
91
90
92
private static final String UPDATE_CREATE_MODEL_DATA =
91
- "{\" name\" :\" REPLACE_FLAG\" ,\" source\" :\" file:/// \" }" ;
93
+ "{\" name\" :\" REPLACE_FLAG\" ,\" source\" :\" //proc/self/root \" }" ;
92
94
93
95
private final HttpClient httpClient ;
94
96
95
97
private final Clock utcClock ;
96
98
97
99
@ Inject
98
- Cve20231177Detector (@ UtcClock Clock utcClock , HttpClient httpClient ) {
100
+ Cve20236977Detector (@ UtcClock Clock utcClock , HttpClient httpClient ) {
99
101
this .httpClient = checkNotNull (httpClient );
100
102
this .utcClock = checkNotNull (utcClock );
101
103
}
102
104
103
105
@ Override
104
106
public DetectionReportList detect (
105
107
TargetInfo targetInfo , ImmutableList <NetworkService > matchedServices ) {
106
- logger .atInfo ().log ("CVE-2023-1177 starts detecting." );
108
+ logger .atInfo ().log ("CVE-2023-6977 starts detecting." );
107
109
108
110
return DetectionReportList .newBuilder ()
109
111
.addAllDetectionReports (
@@ -219,11 +221,18 @@ private DetectionReport buildDetectionReport(
219
221
.setMainId (
220
222
VulnerabilityId .newBuilder ()
221
223
.setPublisher ("TSUNAMI_COMMUNITY" )
222
- .setValue ("CVE_2023_1177" ))
224
+ .setValue ("CVE_2023_6977" ))
225
+ .addRelatedId (
226
+ VulnerabilityId .newBuilder ().setPublisher ("CVE" ).setValue ("CVE-2023-6977" ))
227
+ .addRelatedId (
228
+ VulnerabilityId .newBuilder ().setPublisher ("CVE" ).setValue ("CVE-2023-2780" ))
229
+ .addRelatedId (
230
+ VulnerabilityId .newBuilder ().setPublisher ("CVE" ).setValue ("CVE-2023-1177" ))
223
231
.setSeverity (Severity .CRITICAL )
224
- .setTitle ("CVE-2023-1177 MLflow LFI/RFI" )
232
+ .setTitle ("CVE-2023-6977 MLflow LFI/RFI" )
225
233
.setRecommendation (
226
- "1.Updated to version 2.2.1 or later\n 2.Add authentication to MLflow server\n " )
234
+ "1.Update to the version 2.10.0 or above\n "
235
+ + "2.Add authentication to MLflow server\n " )
227
236
.setDescription (VULN_DESCRIPTION ))
228
237
.build ();
229
238
}
0 commit comments