cve-2024-2032
Vulnerability from cvelistv5
Published
2024-06-06 18:49
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
0.04%
(0.15805)
Summary
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
zenml-io | zenml-io/zenml |
Version: unspecified < 0.55.5 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:zenml-io:zenml:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "zenml", vendor: "zenml-io", versions: [ { lessThan: "0.55.5", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-2032", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-07T18:33:05.512380Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-07T18:37:49.337Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T18:56:22.635Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56", }, { tags: [ "x_transferred", ], url: "https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "zenml-io/zenml", vendor: "zenml-io", versions: [ { lessThan: "0.55.5", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-366", description: "CWE-366 Race Condition within a Thread", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-06T18:49:18.482Z", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntr_ai", }, references: [ { url: "https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56", }, { url: "https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b", }, ], source: { advisory: "6199cd5d-611f-4ea9-96c5-52a952ba5a56", discovery: "EXTERNAL", }, title: "Race Condition Vulnerability in zenml-io/zenml", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntr_ai", cveId: "CVE-2024-2032", datePublished: "2024-06-06T18:49:18.482Z", dateReserved: "2024-02-29T19:13:02.247Z", dateUpdated: "2024-08-01T18:56:22.635Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.55.5\", \"matchCriteriaId\": \"E8D29AD1-72A6-48F0-97BB-824EB4A40338\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de condici\\u00f3n de ejecuci\\u00f3n en las versiones de zenml-io/zenml hasta la 0.55.3 incluida, que permite la creaci\\u00f3n de m\\u00faltiples usuarios con el mismo nombre de usuario cuando las solicitudes se env\\u00edan en paralelo. Este problema se solucion\\u00f3 en la versi\\u00f3n 0.55.5. La vulnerabilidad surge debido al manejo insuficiente de solicitudes simult\\u00e1neas de creaci\\u00f3n de usuarios, lo que genera inconsistencias en los datos y posibles problemas de autenticaci\\u00f3n. Espec\\u00edficamente, los procesos simult\\u00e1neos pueden sobrescribir o da\\u00f1ar los datos del usuario, complicando la identificaci\\u00f3n del usuario y planteando riesgos de seguridad. Este problema es particularmente preocupante para las API que dependen de nombres de usuario como par\\u00e1metros de entrada, como PUT /api/v1/users/test_race, donde podr\\u00eda generar m\\u00e1s complicaciones.\"}]", id: "CVE-2024-2032", lastModified: "2024-11-21T09:08:53.180", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.5, \"impactScore\": 2.5}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.5, \"impactScore\": 2.5}]}", published: "2024-06-06T19:15:53.060", references: "[{\"url\": \"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\"]}, {\"url\": \"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\", \"source\": \"security@huntr.dev\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]", sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: "[{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-366\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-362\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2024-2032\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-06-06T19:15:53.060\",\"lastModified\":\"2024-11-21T09:08:53.180\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de condición de ejecución en las versiones de zenml-io/zenml hasta la 0.55.3 incluida, que permite la creación de múltiples usuarios con el mismo nombre de usuario cuando las solicitudes se envían en paralelo. Este problema se solucionó en la versión 0.55.5. La vulnerabilidad surge debido al manejo insuficiente de solicitudes simultáneas de creación de usuarios, lo que genera inconsistencias en los datos y posibles problemas de autenticación. Específicamente, los procesos simultáneos pueden sobrescribir o dañar los datos del usuario, complicando la identificación del usuario y planteando riesgos de seguridad. Este problema es particularmente preocupante para las API que dependen de nombres de usuario como parámetros de entrada, como PUT /api/v1/users/test_race, donde podría generar más complicaciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.5,\"impactScore\":2.5}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.5,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-366\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.55.5\",\"matchCriteriaId\":\"E8D29AD1-72A6-48F0-97BB-824EB4A40338\"}]}]}],\"references\":[{\"url\":\"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\",\"source\":\"security@huntr.dev\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:56:22.635Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2032\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-07T18:33:05.512380Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:zenml-io:zenml:*:*:*:*:*:*:*:*\"], \"vendor\": \"zenml-io\", \"product\": \"zenml\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.55.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-07T18:36:17.133Z\"}}], \"cna\": {\"title\": \"Race Condition Vulnerability in zenml-io/zenml\", \"source\": {\"advisory\": \"6199cd5d-611f-4ea9-96c5-52a952ba5a56\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"zenml-io\", \"product\": \"zenml-io/zenml\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"0.55.5\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56\"}, {\"url\": \"https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-366\", \"description\": \"CWE-366 Race Condition within a Thread\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-06-06T18:49:18.482Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-2032\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T18:56:22.635Z\", \"dateReserved\": \"2024-02-29T19:13:02.247Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-06-06T18:49:18.482Z\", \"assignerShortName\": \"@huntr_ai\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.