Access Control: ZenML ZenML Server - Improper Authentication¶
Identifier:
cve_2024_25723
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
ZenML Server before 0.46.7 allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate endpoint allows access based on a valid username and new password in the request body without proper authentication.
How we test: We test for improper authentication vulnerabilities in ZenML Server by attempting to activate user accounts using valid usernames and new passwords without proper authentication, then analyzing responses to detect if privilege escalation is possible.
Reference:
- https://www.zenml.io/blog/critical-security-update-for-zenml-users
- https://github.com/zenml-io/zenml
- https://github.com/zenml-io/zenml/compare/0.42.1...0.42.2
- https://github.com/zenml-io/zenml/compare/0.43.0...0.43.1
- https://github.com/zenml-io/zenml/compare/0.44.3...0.44.4
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.