Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02aDNmLTQzdnEtNTNoas4AA7CV
Directory traversal in zenml
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.
Permalink: https://github.com/advisories/GHSA-6h3f-43vq-53hjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDNmLTQzdnEtNTNoas4AA7CV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 18 days ago
Updated: 17 days ago
CVSS Score: 9.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-6h3f-43vq-53hj, CVE-2024-2083
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-2083
- https://github.com/zenml-io/zenml/commit/00e934f33a243a554f5f65b80eefd5ea5117367b
- https://huntr.com/bounties/f24b2216-6a4b-42a1-becb-9b47e6cf117f
- https://github.com/advisories/GHSA-6h3f-43vq-53hj
Blast Radius: 16.3
Affected Packages
pypi:zenml
Dependent packages: 2Dependent repositories: 44
Downloads: 14,192 last month
Affected Version Ranges: < 0.55.5
Fixed in: 0.55.5
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.42.0, 0.42.1, 0.42.2, 0.43.0, 0.43.1, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.46.0, 0.46.1, 0.47.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.53.1, 0.54.0, 0.54.1, 0.55.0, 0.55.1, 0.55.2, 0.55.3, 0.55.4
All unaffected versions: 0.55.5, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.56.4