zenml@0.56.4 vulnerabilities

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /api/v1/current-user endpoint. An attacker can brute-force the current password in the Update Password function, allowing them to take over the user's account.

Upgrade zenml to version 0.57.0rc2 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the redirect parameter, due to improper user input sanitization.

Upgrade zenml to version 0.58.0 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to improper handling of line feed (\n) characters in component names. An attacker can degrade the user experience and potentially render the ZenML Dashboard unusable by adding a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character. This results in uncontrolled resource consumption and prevents users from adding new components in certain categories and registering new stacks through the UI.

Upgrade zenml to version 0.57.1 or higher.

zenml is a ZenML: Write production-ready ML code.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the improper session management mechanism. An attacker can maintain unauthorized access and perform actions as a legitimate user by reusing old session credentials or session IDs after a password change. The vulnerability arises when sessions do not expire immediately after a password change, allowing the session to remain active and usable in another browser without requiring re-authentication.

There is no fixed version for zenml.