zenml@0.3.7.1rc1 vulnerabilities

ZenML: Write production-ready ML code.

Direct Vulnerabilities

Known vulnerabilities in the zenml package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • M
Allocation of Resources Without Limits or Throttling

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /api/v1/current-user endpoint. An attacker can brute-force the current password in the Update Password function, allowing them to take over the user's account.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade zenml to version 0.57.0rc2 or higher.

[,0.57.0rc2)
  • M
Cross-site Scripting (XSS)

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the redirect parameter, due to improper user input sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade zenml to version 0.58.0 or higher.

[,0.58.0)
  • M
Uncontrolled Resource Consumption ('Resource Exhaustion')

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to improper handling of line feed (\n) characters in component names. An attacker can degrade the user experience and potentially render the ZenML Dashboard unusable by adding a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character. This results in uncontrolled resource consumption and prevents users from adding new components in certain categories and registering new stacks through the UI.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade zenml to version 0.57.1 or higher.

[,0.57.1)
  • L
Improper Authentication

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Authentication. An attacker with access to an active user session can change the account password without needing to know the current password, leading to unauthorized account takeover by bypassing the standard password change verification process.

How to fix Improper Authentication?

Upgrade zenml to version 0.56.3 or higher.

[,0.56.3)
  • M
Improper Authorization

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Authorization through the API PUT /api/v1/users/id endpoint. An authenticated attacker can modify the information of other users, including deactivating their accounts, by manipulating the active status.

How to fix Improper Authorization?

Upgrade zenml to version 0.56.2 or higher.

[,0.56.2)
  • L
Cross-site Scripting (XSS)

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the logo_url field. An attacker can send harmful messages to other users, potentially compromising their accounts by injecting malicious payloads into this field.

Notes:

  1. There is no notion of an admin account or RBAC in ZenML. All accounts are created equal and have access to the same information. Therefore this vulnerability cannot be exploited for privilege escalation or to expose confidential information.

  2. The injected payload is not automatically triggered and cannot even be mistakenly triggered by the user (e.g. via a hyperlink). The user has to willingly right-click on the logo and open the URL contents in a new tab. This is a voluntary and informed action and is the equivalent of copying any text from the screen (e.g. from the description of an object) and pasting it in a new tab. It also does not affect the ZenML dashboard directly, since it is effectively an action that navigates away from it.

How to fix Cross-site Scripting (XSS)?

Upgrade zenml to version 0.56.2 or higher.

[,0.56.2)
  • L
Race Condition

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Race Condition due to the insufficient handling of concurrent user creation requests. An attacker can create multiple users with the same username and potentially disrupt the authentication process by sending parallel requests.

How to fix Race Condition?

Upgrade zenml to version 0.55.5 or higher.

[,0.55.5)
  • M
Improper Restriction of Rendered UI Layers or Frames

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. An attacker can trick users into interacting with the interface under the attacker's control by embedding the application UI within an iframe on a malicious page.

How to fix Improper Restriction of Rendered UI Layers or Frames?

Upgrade zenml to version 0.56.3 or higher.

[,0.56.3)
  • C
Path Traversal

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Path Traversal due to insufficient validation of user-supplied input in the /api/v1/steps endpoint. An attacker can access files outside of the restricted directory by manipulating the 'logs' URI path in the request to fetch arbitrary file content, effectively bypassing intended access restrictions.

How to fix Path Traversal?

Upgrade zenml to version 0.55.5 or higher.

[,0.55.5)
  • M
Session Fixation

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Session Fixation due to the JWT tokens not being changed every time the user logs out and back in. An attacker can bypass authentication to access the victim's account without knowing the victim's password.

How to fix Session Fixation?

Upgrade zenml to version 0.56.2 or higher.

[,0.56.2)
  • C
Unrestricted Upload of File with Dangerous Type

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via the load function in /materializers/cloudpickle_materializer.py. An attacker can execute arbitrary code by uploading a crafted file.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade zenml to version 0.55.5 or higher.

[,0.55.5)
  • C
Improper Authentication

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Authentication via the /api/v1/users/{user_name_or_id}/activate REST API endpoint. An existing username, along with a new password provided in the request body, can be misused to gain unauthorized access.

How to fix Improper Authentication?

Upgrade zenml to version 0.42.2, 0.43.1, 0.44.4, 0.47.0 or higher.

[,0.42.2)[0.43.0,0.43.1)[0.44.0,0.44.4)[0.46.0,0.47.0)