CVE-2024-4460 DoS Vulnerability in zenml-io/zenml

2024-06-2406:58:10

CWE-400

@huntr_ai

www.cve.org

cve-2024-4460

dos vulnerability

zenml

api endpoint

resource consumption

user experience

zenml dashboard unusable

docker

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

0.0004 Low

EPSS

Percentile

9.1%

JSON

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., ‘Image Builder’) and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as \n characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.

CNA Affected

[
  {
    "vendor": "zenml-io",
    "product": "zenml-io/zenml",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "0.57.1",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]