CVE-2024-4460

CVSS V2 None CVSS V3 None

Description

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.

Overview

CVE ID
CVE-2024-4460

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-06-24T06:58:10.591Z

Last Modified Date
2024-06-24T06:58:10.591Z

Weakness Enumerations

CWE	URL
CWE-400	http://cwe.mitre.org/data/definitions/400.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/a387c935-b970-44d7-bddc-71c1c90aa2de
https://github.com/zenml-io/zenml/commit/164cc09032060bbfc17e9dbd62c13efd5ff5771b

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-4460
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4460

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 16:56:19				Added to TrackCVE