CVE-2024-2035

MEDIUM EPSS 45.4%
Published Jun 6, 20242y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jun 6, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

CVSS Details

Base Score
6.5
Exploitability
1.2
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
45.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
zenmlzenml* <0.56.2

References 2

  • github.com https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3
    Patch
  • huntr.com https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c
    ExploitIssue TrackingPatchThird Party Advisory

Remediation

  • github.com https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3
    Patch
  • huntr.com https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c
    ExploitIssue TrackingPatchThird Party Advisory