CVE-2024-2213 - OpenCVE

An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zenml	Zenml

Configuration 1 [-]

cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2
https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48

History

Fri, 11 Oct 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zenml Zenml zenml
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:zenml:zenml::::::::
Vendors & Products		Zenml Zenml zenml
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:19:26.553Z

Updated: 2024-08-01T19:03:39.114Z

Reserved: 2024-03-06T08:29:15.083Z

Link: CVE-2024-2213

Vulnrichment

Updated: 2024-08-01T19:03:39.114Z

NVD

Status : Analyzed

Published: 2024-06-06T19:15:53.890

Modified: 2024-10-11T15:34:13.917

Link: CVE-2024-2213

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2213", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-06T08:29:15.083Z", "datePublished": "2024-06-06T18:19:26.553Z", "dateUpdated": "2024-08-01T19:03:39.114Z"}, "containers": {"cna": {"title": "Improper Authentication in zenml-io/zenml", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:19:26.553Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3."}], "affected": [{"vendor": "zenml-io", "product": "zenml-io/zenml", "versions": [{"version": "unspecified", "lessThan": "0.56.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48"}, {"url": "https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287"}]}], "source": {"advisory": "8f5534ac-fd08-4b8b-8c2e-35949aa36e48", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "zenmlio", "product": "zenml", "cpes": ["cpe:2.3:a:zenmlio:zenml:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.56.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T12:48:37.724985Z", "id": "CVE-2024-2213", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T19:36:34.840Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:03:39.114Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48", "tags": ["x_transferred"]}, {"url": "https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48", "tags": ["x_transferred"]}, {"url": "https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:03:39.114Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2213", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T12:48:37.724985Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zenmlio:zenml:*:*:*:*:*:*:*:*"], "vendor": "zenmlio", "product": "zenml", "versions": [{"status": "affected", "version": "0", "lessThan": "0.56.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T12:49:51.808Z"}}], "cna": {"title": "Improper Authentication in zenml-io/zenml", "source": {"advisory": "8f5534ac-fd08-4b8b-8c2e-35949aa36e48", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "zenml-io", "product": "zenml-io/zenml", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.56.3", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48"}, {"url": "https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:19:26.553Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2213", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:03:39.114Z", "dateReserved": "2024-03-06T08:29:15.083Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:19:26.553Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A24ABC9-62F4-4AAF-B7C3-C14F607AD79F", "versionEndExcluding": "0.56.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en las versiones de zenml-io/zenml hasta la 0.55.4 incluida. Debido a mecanismos de autenticaci\u00f3n inadecuados, un atacante con acceso a una sesi\u00f3n de usuario activa puede cambiar la contrase\u00f1a de la cuenta sin necesidad de conocer la contrase\u00f1a actual. Esta vulnerabilidad permite la apropiaci\u00f3n no autorizada de cuentas al pasar por alto el proceso est\u00e1ndar de verificaci\u00f3n de cambio de contrase\u00f1a. El problema se solucion\u00f3 en la versi\u00f3n 0.56.3."}], "id": "CVE-2024-2213", "lastModified": "2024-10-11T15:34:13.917", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:15:53.890", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/zenml-io/zenml/commit/58cb3d987372c91eb605853c35325701733337c2"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/8f5534ac-fd08-4b8b-8c2e-35949aa36e48"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@huntr.dev", "type": "Secondary"}]}