CVE-2024-2035

CVSS V2 None CVSS V3 None

Description

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

Overview

CVE ID
CVE-2024-2035

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-06-06T18:25:00.141Z

Last Modified Date
2024-06-07T12:37:11.076Z

Weakness Enumerations

CWE	URL
CWE-1220	http://cwe.mitre.org/data/definitions/1220.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c
https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-2035
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2035

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 23:05:44				Added to TrackCVE