Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qM3ZxLXBtcDUtcjV4as4ABBXQ
Missing ratelimit on passwrod resets in zenml
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.
Permalink: https://github.com/advisories/GHSA-j3vq-pmp5-r5xjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qM3ZxLXBtcDUtcjV4as4ABBXQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 days ago
Updated: 2 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H
Identifiers: GHSA-j3vq-pmp5-r5xj, CVE-2024-4311
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4311
- https://github.com/zenml-io/zenml/commit/87a6c2c8f45b49ea83fbb5fe8fff7ab5365a60c9
- https://huntr.com/bounties/d5517e1a-6b94-4e38-aad6-3aa65f98bec2
- https://github.com/advisories/GHSA-j3vq-pmp5-r5xj
Blast Radius: 8.9
Affected Packages
pypi:zenml
Dependent packages: 2Dependent repositories: 44
Downloads: 33,602 last month
Affected Version Ranges: < 0.57.0rc2
Fixed in: 0.57.0rc2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.42.0, 0.42.1, 0.42.2, 0.43.0, 0.43.1, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.46.0, 0.46.1, 0.47.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.53.1, 0.54.0, 0.54.1, 0.55.0, 0.55.1, 0.55.2, 0.55.3, 0.55.4, 0.55.5, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.56.4, 0.57.0-rc1
All unaffected versions: 0.57.0, 0.57.1, 0.58.0, 0.58.1, 0.58.2, 0.60.0, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.68.1, 0.70.0