Search for packages
| purl | pkg:pypi/zenml@0.3.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-42g8-w871-x3es
Aliases: CVE-2024-9340 GHSA-6gmf-2369-c76c PYSEC-2025-57 |
A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundary processing mechanism leads to an infinite loop, resulting in a complete denial of service for all users. Affected endpoints include `/api/v1/login` and `/api/v1/device_authorization`. |
Affected by 0 other vulnerabilities. |
|
VCID-4hzw-29wd-57g1
Aliases: CVE-2024-2035 GHSA-9x88-4jg8-4vf7 PYSEC-2024-169 |
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application. |
Affected by 7 other vulnerabilities. |
|
VCID-5qpt-9jqh-dba7
Aliases: CVE-2024-5062 GHSA-3434-hc3m-8mmm PYSEC-2024-176 |
A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover. |
Affected by 1 other vulnerability. |
|
VCID-7cya-2yr7-r3e5
Aliases: CVE-2024-2213 GHSA-j527-v579-m98h PYSEC-2024-193 |
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3. |
Affected by 5 other vulnerabilities. |
|
VCID-7gaz-m16x-qbeb
Aliases: CVE-2024-2083 GHSA-6h3f-43vq-53hj PYSEC-2024-247 |
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory. |
Affected by 10 other vulnerabilities. |
|
VCID-bh6k-2w81-5kg1
Aliases: CVE-2024-4311 GHSA-j3vq-pmp5-r5xj |
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account. |
Affected by 3 other vulnerabilities. |
|
VCID-cc82-xbg4-sbd4
Aliases: CVE-2024-4680 GHSA-99hm-86h7-gr3g |
A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication. |
Affected by 4 other vulnerabilities. |
|
VCID-dhp5-dpvm-v7cc
Aliases: CVE-2024-2383 GHSA-mq73-g4qr-fgcq PYSEC-2024-194 |
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3. |
Affected by 5 other vulnerabilities. |
|
VCID-gsey-n5gk-huah
Aliases: CVE-2024-4460 GHSA-7gjr-hcc3-xfr4 |
Affected by 2 other vulnerabilities. |
|
|
VCID-j3df-fbe5-37ha
Aliases: CVE-2024-25723 GHSA-vf7j-cmrj-pmmm |
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-qj66-8fqx-s3dx
Aliases: CVE-2024-2171 GHSA-vwgf-7f9h-h499 PYSEC-2024-170 |
A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their accounts. The vulnerability affects version 0.55.3 and was fixed in version 0.56.2. The impact of exploiting this vulnerability could lead to user account compromise. |
Affected by 7 other vulnerabilities. |
|
VCID-tkuk-h9xn-1yey
Aliases: CVE-2024-2032 GHSA-c546-8jmq-hprj PYSEC-2024-105 |
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications. |
Affected by 10 other vulnerabilities. |
|
VCID-utfk-qyy1-muhw
Aliases: CVE-2024-2260 GHSA-g3r5-72hf-p7p2 PYSEC-2024-254 |
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||