ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
PoC代码[已公开]
id: CVE-2024-25723
info:
name: ZenML ZenML Server - Improper Authentication
author: David Botelho Mariano
severity: critical
description: |
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Implement proper authentication mechanisms and ensure access controls are correctly configured.
reference:
- https://www.zenml.io/blog/critical-security-update-for-zenml-users
- https://github.com/zenml-io/zenml
- https://github.com/zenml-io/zenml/compare/0.42.1...0.42.2
- https://github.com/zenml-io/zenml/compare/0.43.0...0.43.1
- https://github.com/zenml-io/zenml/compare/0.44.3...0.44.4
classification:
epss-score: 0.89644
epss-percentile: 0.99538
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-2028554187
fofa-query: body="ZenML"
tags: cve,cve2024,passive,auth-bypass,zenml
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/info"
matchers:
- type: dsl
dsl:
- "compare_versions(version, '< 0.46.7')"
- "!contains_any(version, '0.44.4', '0.43.1', '0.42.2')"
- "contains_all(body, 'deployment_type', 'database_type')"
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- '"version":"(.*?)"'
internal: true
# digest: 4a0a00473045022100f9878aff7e451e0c6b9f2dd89a9ce3f4c1b00699c8cd90c6080d5a4ba3fef28a02203c0068d9cdaa1ae325098da285a78e82b0c4589254aca5f90309017c2a0ccbf1:922c64590222798bb761d5b6d8e72950