CVE-2024-2035

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3
https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 19:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-2035

Mitre link : CVE-2024-2035

CVE.ORG link : CVE-2024-2035

JSON object : View

Products Affected

No product.

CWE

CWE-1220

Insufficient Granularity of Access Control

{"id": "CVE-2024-2035", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2024-06-06T19:15:53.313", "references": [{"url": "https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-1220"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application."}, {"lang": "es", "value": "Existe una vulnerabilidad de autorizaci\u00f3n incorrecta en el repositorio zenml-io/zenml, espec\u00edficamente dentro del endpoint API PUT /api/v1/users/id. Esta vulnerabilidad permite que cualquier usuario autenticado modifique la informaci\u00f3n de otros usuarios, incluido cambiar el estado \"activo\" de las cuentas de usuario a falso, desactiv\u00e1ndolas efectivamente. Este problema afecta a la versi\u00f3n 0.55.3 y se solucion\u00f3 en la versi\u00f3n 0.56.2. El impacto de esta vulnerabilidad es significativo ya que permite la desactivaci\u00f3n de cuentas de administrador, lo que potencialmente altera la funcionalidad y seguridad de la aplicaci\u00f3n."}], "lastModified": "2024-06-07T14:56:05.647", "sourceIdentifier": "security@huntr.dev"}

6.5 /10