OpenCVE

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zenml	Zenml

Configuration 1 [-]

cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9
https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963

History

Fri, 11 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zenml Zenml zenml
CPEs		cpe:2.3:a:zenml:zenml::::::::
Vendors & Products		Zenml Zenml zenml
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:18:29.911Z

Updated: 2024-08-01T19:11:53.449Z

Reserved: 2024-03-11T16:19:50.424Z

Link: CVE-2024-2383

Vulnrichment

Updated: 2024-08-01T19:11:53.449Z

NVD

Status : Modified

Published: 2024-06-06T19:15:54.970

Modified: 2024-11-21T09:09:38.170

Link: CVE-2024-2383

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2383", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-11T16:19:50.424Z", "datePublished": "2024-06-06T18:18:29.911Z", "dateUpdated": "2024-08-01T19:11:53.449Z"}, "containers": {"cna": {"title": "Clickjacking Vulnerability in zenml-io/zenml", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:18:29.911Z"}, "descriptions": [{"lang": "en", "value": "A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3."}], "affected": [{"vendor": "zenml-io", "product": "zenml-io/zenml", "versions": [{"version": "unspecified", "lessThan": "0.56.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963"}, {"url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", "cweId": "CWE-1021"}]}], "source": {"advisory": "22d26f5a-c0ae-4344-aa7d-08ff5ada3963", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "zenml-io", "product": "zenml", "cpes": ["cpe:2.3:a:zenml-io:zenml:0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.55.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T19:37:36.489628Z", "id": "CVE-2024-2383", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T19:39:30.275Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.449Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963", "tags": ["x_transferred"]}, {"url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963", "tags": ["x_transferred"]}, {"url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.449Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2383", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T19:37:36.489628Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zenml-io:zenml:0:*:*:*:*:*:*:*"], "vendor": "zenml-io", "product": "zenml", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.55.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T19:39:22.851Z"}}], "cna": {"title": "Clickjacking Vulnerability in zenml-io/zenml", "source": {"advisory": "22d26f5a-c0ae-4344-aa7d-08ff5ada3963", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "zenml-io", "product": "zenml-io/zenml", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.56.3", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963"}, {"url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9"}], "descriptions": [{"lang": "en", "value": "A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:18:29.911Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2383", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:11:53.449Z", "dateReserved": "2024-03-11T16:19:50.424Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:18:29.911Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A24ABC9-62F4-4AAF-B7C3-C14F607AD79F", "versionEndExcluding": "0.56.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3."}, {"lang": "es", "value": "Existe una vulnerabilidad de clickjacking en las versiones de zenml-io/zenml hasta la 0.55.5 incluida debido a que la aplicaci\u00f3n no configura los encabezados HTTP X-Frame-Options o Content-Security-Policy adecuados. Esta vulnerabilidad permite a un atacante incrustar la interfaz de usuario de la aplicaci\u00f3n dentro de un iframe en una p\u00e1gina maliciosa, lo que podr\u00eda provocar acciones no autorizadas al enga\u00f1ar a los usuarios para que interact\u00faen con la interfaz bajo el control del atacante. El problema se solucion\u00f3 en la versi\u00f3n 0.56.3."}], "id": "CVE-2024-2383", "lastModified": "2024-11-21T09:09:38.170", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:15:54.970", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "security@huntr.dev", "type": "Secondary"}]}