Vulnerability Description
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zenml | Zenml | < 0.56.2 |
Related Weaknesses (CWE)
References
- https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038faPatch
- https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557cExploitIssue TrackingPatch
- https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038faPatch
- https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557cExploitIssue TrackingPatch
FAQ
What is CVE-2024-2035?
CVE-2024-2035 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify t...
How severe is CVE-2024-2035?
CVE-2024-2035 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-2035?
Check the references section above for vendor advisories and patch information. Affected products include: Zenml Zenml.