CVE-2024-2213

LOW

zenml-io/zenml <0.55.4 - Auth Bypass

Title source: llm

Description

An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3.

References (2)

[Patch] https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-620

Status published

Products (2)

pypi/zenml 0 - 0.56.3PyPI

zenml/zenml < 0.56.3

Published Jun 06, 2024

Tracked Since Feb 18, 2026