ZenML < 0.57.1 DoS (CVE-2024-4460)

medium Nessus Plugin ID 213485

Synopsis

The remote host is affected by a vulnerability.

Description

The version of ZenML installed on the remote host is prior to 0.57.1. It is, therefore, affected by a denial of service (DoS) vulnerability exists in zenml-io/zenml version due to improper handling of line feed (`\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers. The project maintainers disputed the exposure with NVD and claim it is only a QA bug.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ZenML version 0.57.1 or later.

Plugin Details

Severity: Medium

ID: 213485

File Name: zenml_CVE-2024-4460.nasl

Version: 1.1

Type: combined

Family: Artificial Intelligence

Published: 1/3/2025

Updated: 1/3/2025

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2024-4460

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Vulnerability Information

CPE: cpe:/a:zenml:zenml

Required KB Items: installed_sw/ZenML

Patch Publication Date: 6/24/2024

Vulnerability Publication Date: 6/24/2024

Reference Information

CVE: CVE-2024-4460

CWE: CWE-400

Detections

Analytics