CVE-2024-2035

MEDIUM

Zenml < 0.56.2 - Missing Authorization

Title source: rule

Description

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

References (2)

Core 2

Core References

Patch

https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3

View Patch ZIP pw:eip

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 15.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

pypi/zenml 0 - 0.56.2PyPI

zenml/zenml < 0.56.2

Published Jun 06, 2024

Tracked Since Feb 18, 2026