ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
PoC代码[已公开]
id: CVE-2024-25723
info:
name: ZenML ZenML Server - Improper Authentication
author: David Botelho Mariano
severity: critical
description: |
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Implement proper authentication mechanisms and ensure access controls are correctly configured.
reference:
- https://www.zenml.io/blog/critical-security-update-for-zenml-users
- https://github.com/zenml-io/zenml
- https://github.com/zenml-io/zenml/compare/0.42.1...0.42.2
- https://github.com/zenml-io/zenml/compare/0.43.0...0.43.1
- https://github.com/zenml-io/zenml/compare/0.44.3...0.44.4
classification:
epss-score: 0.89644
epss-percentile: 0.99543
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-2028554187
fofa-query: body="ZenML"
tags: cve,cve2024,passive,auth-bypass,zenml,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/info"
matchers:
- type: dsl
dsl:
- "compare_versions(version, '< 0.46.7')"
- "!contains_any(version, '0.44.4', '0.43.1', '0.42.2')"
- "contains_all(body, 'deployment_type', 'database_type')"
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- '"version":"(.*?)"'
internal: true
# digest: 4a0a0047304502205c31a1e3c35d74c32ec3b9407588e9b18cb89e2b860e60c091e0f8fe66359ea10221008ff17a36f29e6704035eb838761ca1f8d17b4d592d1d144c8c243f39b5dbcca2:922c64590222798bb761d5b6d8e72950