GHSA-7GJR-HCC3-XFR4
Vulnerability from github – Published: 2024-06-24 09:30 – Updated: 2024-06-24 21:28A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as \n characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zenml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.57.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4460"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-24T21:28:27Z",
"nvd_published_at": "2024-06-24T07:15:15Z",
"severity": "MODERATE"
},
"details": "A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., \u0027Image Builder\u0027) and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.",
"id": "GHSA-7gjr-hcc3-xfr4",
"modified": "2024-06-24T21:28:27Z",
"published": "2024-06-24T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4460"
},
{
"type": "WEB",
"url": "https://github.com/zenml-io/zenml/commit/164cc09032060bbfc17e9dbd62c13efd5ff5771b"
},
{
"type": "PACKAGE",
"url": "https://github.com/zenml-io/zenml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a387c935-b970-44d7-bddc-71c1c90aa2de"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper line feed handling in zenml"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.