Skip to content

zenml-io/zenml does not expire the session after password reset

Low severity GitHub Reviewed Published Jun 8, 2024 to the GitHub Advisory Database • Updated Jun 10, 2024

Package

pip zenml (pip)

Affected versions

<= 0.56.3

Patched versions

None

Description

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication.

References

Published by the National Vulnerability Database Jun 8, 2024
Published to the GitHub Advisory Database Jun 8, 2024
Last updated Jun 10, 2024
Reviewed Jun 10, 2024

Severity

Low
3.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2024-4680

GHSA ID

GHSA-99hm-86h7-gr3g

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.