Skip to main content

Zenml CVE-2024-28424

HIGH
Code Injection (CWE-94)
2024-03-14 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 14, 2024 - 19:15 cve.org
HIGH 8.8

DescriptionCVE.org

zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.

AnalysisAI

zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file. Affected products include: Zenml.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

More in Zenml

View all
CVE-2024-2083 CRITICAL POC
9.9 Apr 16

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpo

CVE-2024-4680 HIGH POC
8.8 Jun 08

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to

CVE-2024-25723 HIGH POC
8.8 Feb 27

ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because t

CVE-2024-2035 MEDIUM POC
6.5 Jun 06

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1

CVE-2024-5062 MEDIUM POC
6.1 Jun 30

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. Rated medium sever

CVE-2024-2383 MEDIUM POC
6.1 Jun 06

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failu

CVE-2024-4311 MEDIUM POC
5.4 Nov 14

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password chan

CVE-2024-2171 MEDIUM POC
4.8 Jun 06

A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within t

CVE-2024-2260 MEDIUM POC
4.2 Apr 16

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication

CVE-2024-2213 LOW POC
3.3 Jun 06

An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Rated low severity (CVSS 3.3), this vulne

CVE-2024-2032 LOW
3.1 Jun 06

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creati

CVE-2024-9340 HIGH POC
7.5 Mar 20

A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause exces

Share

CVE-2024-28424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy