CVE-2024-12760 Scanner

BentoML is a popular open-source framework designed to simplify the deployment of machine learning models. It is widely used by developers and data scientists for creating production-ready APIs from trained models. With features such as model serving, API deployment, and integration with cloud platforms, BentoML is utilized across industries to scale AI solutions effectively. Its flexibility and ease of use make it a preferred choice for machine learning deployments.

The vulnerability identified in BentoML v1.3.9 is an Open Redirect flaw. This issue allows attackers to manipulate URL parameters to redirect users to unauthorized or malicious websites. Such vulnerabilities pose significant security risks, as unsuspecting users may fall victim to phishing attacks or malware installations. It is crucial to address this flaw to prevent exploitation and maintain user trust in the system.

The issue exists in the "file" parameter within the "/ui/gradio_api/file=" endpoint. When a specially crafted URL is sent to this endpoint, the application fails to validate the parameter correctly, leading to redirection to external, potentially harmful domains. This lack of validation creates an opportunity for attackers to exploit the vulnerability by embedding malicious links in URLs. The vulnerability highlights the need for robust input validation in web applications.

Exploitation of this vulnerability can lead to a range of security issues, including phishing attacks, exposure to malware, and unauthorized access. Users redirected to malicious websites may inadvertently disclose sensitive information or compromise their systems. The reputation of BentoML as a secure framework may also suffer, impacting its adoption and trust among users.

REFERENCES

• https://huntr.com/bounties/2a284ff6-cc6c-4a10-b72e-1bb31c842bca