zenml@0.43.1 vulnerabilities

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /api/v1/current-user endpoint. An attacker can brute-force the current password in the Update Password function, allowing them to take over the user's account.

Upgrade zenml to version 0.57.0rc2 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the redirect parameter, due to improper user input sanitization.

Upgrade zenml to version 0.58.0 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to improper handling of line feed (\n) characters in component names. An attacker can degrade the user experience and potentially render the ZenML Dashboard unusable by adding a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character. This results in uncontrolled resource consumption and prevents users from adding new components in certain categories and registering new stacks through the UI.

Upgrade zenml to version 0.57.1 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Authentication. An attacker with access to an active user session can change the account password without needing to know the current password, leading to unauthorized account takeover by bypassing the standard password change verification process.

Upgrade zenml to version 0.56.3 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Authorization through the API PUT /api/v1/users/id endpoint. An authenticated attacker can modify the information of other users, including deactivating their accounts, by manipulating the active status.

Upgrade zenml to version 0.56.2 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the logo_url field. An attacker can send harmful messages to other users, potentially compromising their accounts by injecting malicious payloads into this field.

Notes:

1. There is no notion of an admin account or RBAC in ZenML. All accounts are created equal and have access to the same information. Therefore this vulnerability cannot be exploited for privilege escalation or to expose confidential information.

2. The injected payload is not automatically triggered and cannot even be mistakenly triggered by the user (e.g. via a hyperlink). The user has to willingly right-click on the logo and open the URL contents in a new tab. This is a voluntary and informed action and is the equivalent of copying any text from the screen (e.g. from the description of an object) and pasting it in a new tab. It also does not affect the ZenML dashboard directly, since it is effectively an action that navigates away from it.

Upgrade zenml to version 0.56.2 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Race Condition due to the insufficient handling of concurrent user creation requests. An attacker can create multiple users with the same username and potentially disrupt the authentication process by sending parallel requests.

Upgrade zenml to version 0.55.5 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. An attacker can trick users into interacting with the interface under the attacker's control by embedding the application UI within an iframe on a malicious page.

Upgrade zenml to version 0.56.3 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Path Traversal due to insufficient validation of user-supplied input in the /api/v1/steps endpoint. An attacker can access files outside of the restricted directory by manipulating the 'logs' URI path in the request to fetch arbitrary file content, effectively bypassing intended access restrictions.

Upgrade zenml to version 0.55.5 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Session Fixation due to the JWT tokens not being changed every time the user logs out and back in. An attacker can bypass authentication to access the victim's account without knowing the victim's password.

Upgrade zenml to version 0.56.2 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via the load function in /materializers/cloudpickle_materializer.py. An attacker can execute arbitrary code by uploading a crafted file.

Upgrade zenml to version 0.55.5 or higher.