Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Mlflow - Unauthenticated Access" module is designed to detect the presence of unauthenticated access to the MLflow dashboard. MLflow is an open-source platform used for managing the machine learning lifecycle. This module targets a potential vulnerability that allows unauthorized users to access the MLflow dashboard without authentication. The severity of this vulnerability is classified as high.
If the "Mlflow - Unauthenticated Access" vulnerability is exploited, unauthorized users can gain access to sensitive information and perform unauthorized actions within the MLflow dashboard. This can lead to data breaches, unauthorized model modifications, and potential misuse of machine learning resources.
The "Mlflow - Unauthenticated Access" module works by sending an HTTP GET request to the MLflow dashboard's API endpoint: /ajax-api/2.0/preview/mlflow/experiments/get?experiment_id=0
. It then applies matching conditions to determine if the dashboard allows unauthenticated access.
The matching conditions for this module are:
- The response body must contain the words "experiment_id", "name", and "artifact_location". - The response status code must be 200.If both matching conditions are met, the module reports a vulnerability, indicating that unauthenticated access to the MLflow dashboard is possible.