206 matches found
ZenML < 0.55.5 Arbitrary File Upload
The version of ZenML installed on the remote host is prior to 0.55.5. It is, therefore, affected by an arbitrary file upload vulnerability in the load function at /materializers/cloudpicklematerializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file...
ZenML < 0.56.3 Unpatched Session Expiration Exposure (CVE-2024-4680)
The version of ZenML installed on the remote host is prior to 0.56.3. It is, therefore, affected by a vulnerability which allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change,...
Account Takeover
zenml is vulnerable to Account Takeover. The vulnerability is due to a lack of rate-limiting on the '/api/v1/current-user' endpoint, which allows attackers to brute-force the current password in the 'Update Password' function...
Missing ratelimit on passwrod resets in zenml
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...
Allocation of Resources Without Limits or Throttling
Overview zenml is a ZenML: Write production-ready ML code. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /api/v1/current-user endpoint. An attacker can brute-force the current password in the Update Password function, allowing them...
CVE-2024-4311
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...
CVE-2024-4311 Lack of login attempt rate-limiting in zenml-io/zenml
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...
CVE-2024-4311 Lack of login attempt rate-limiting in zenml-io/zenml
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...
CVE-2024-4311
ZenML 0.56.4 is affected by CVE-2024-4311 due to no rate-limiting on the password-change flow, enabling brute-forcing of the current password via /api/v1/current-user and potentially taking over the user account. Affected component: password update function. Impact: account takeover with unauthen...
ZenML 安全漏洞
ZenML is an extensible open source MLOps framework from ZenML Open Source for creating portable, production-ready machine learning pipelines. A security vulnerability exists in ZenML version 0.56.4, which stems from a lack of rate limiting in the password change function, making it vulnerable to...
Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation
Cybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning ML related open-source projects. These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published...
ZenML Detection
Binary data pythonzenmldetect.nbin...
ZenML Detection
Binary data 701476.prm...
The vulnerability of the final point of the application programming interface /api/v1/users/{user_name_or_id}/activate, which is part of the Zenml machine learning pipeline creation framework, allows a violator to elevate their privileges.
The vulnerability of the final point of the application software interface/api/v1/users/usernameorid/activate function in the Zenml machine learning pipeline creation framework is related to deficiencies in the access control mechanism. Exploiting this vulnerability could allow an attacker to...
ZenML Detected
This is an informational plugin to inform the user that the scanner has detected a publicly accessible ZenML instance on the target application. ZenML is an open-source framework dedicated to MLOps abstracting the underlying infrastructure. This detection is included in the AI and LLM category. N...
Cross Site Scripting(XSS)
zenml is vulnerable to Cross-Site Scripting XSS . The vulnerability is due to improper input neutralization during web page generation within the survey redirect parameter, which allows an attacker to execute arbitrary JavaScript code in the context of the user's browser session...
GHSA-3434-HC3M-8MMM Reflected Cross-Site Scripting (XSS) in zenml
A reflected Cross-Site Scripting XSS vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a...
Reflected Cross-Site Scripting (XSS) in zenml
A reflected Cross-Site Scripting XSS vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a...
PYSEC-2024-176
A reflected Cross-Site Scripting XSS vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a...
CVE-2024-5062
A reflected Cross-Site Scripting XSS vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a...