Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02aDNmLTQzdnEtNTNoas4AA7CV

Directory traversal in zenml

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.

Permalink: https://github.com/advisories/GHSA-6h3f-43vq-53hj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDNmLTQzdnEtNTNoas4AA7CV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: about 1 month ago


CVSS Score: 9.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-6h3f-43vq-53hj, CVE-2024-2083
References: Repository: https://github.com/zenml-io/zenml
Blast Radius: 16.3

Affected Packages

pypi:zenml
Dependent packages: 2
Dependent repositories: 44
Downloads: 19,967 last month
Affected Version Ranges: < 0.55.5
Fixed in: 0.55.5
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.42.0, 0.42.1, 0.42.2, 0.43.0, 0.43.1, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.46.0, 0.46.1, 0.47.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.53.1, 0.54.0, 0.54.1, 0.55.0, 0.55.1, 0.55.2, 0.55.3, 0.55.4
All unaffected versions: 0.55.5, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.56.4, 0.57.0, 0.57.1