Lucene search

Veracode Vulnerability DatabaseVERACODE:46477

HistoryApr 17, 2024 - 7:36 a.m.

Session Fixation

2024-04-1707:36:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

session fixation

zenml

jwt tokens

user authentication

vulnerability

logout

attacker

bypass

mechanisms

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Zenml-io/zenml is vulnerable to session fixation. The vulnerability is due to JWT tokens used for user authentication not being invalidated upon logout, allowing an attacker to reuse a victim’s JWT token to bypass authentication mechanisms.

CPENameOperatorVersion
zenmlle0.56.1
zenmlle0.56.1

CPE	Name	Operator	Version
	zenml	le	0.56.1
	zenml	le	0.56.1

References

github.com/advisories/GHSA-g3r5-72hf-p7p2

github.com/zenml-io/zenml/commit/68bcb3ba60cba9729c9713a49c39502d40fb945e

huntr.com/bounties/2d0856ec-ed73-477a-8ea2-d5d4f15cf167

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46477