CVE-2024-4311

Published Nov 14, 2024

Last updated 2 days ago

CVSS medium 5.4

Overview

Description
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.
Source
security@huntr.dev
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
5.4
Impact score
4.2
Exploitability score
1.2
Vector string
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H
Severity
MEDIUM

Weaknesses

security@huntr.dev
CWE-770

Social media

Hype score
Not currently trending

  1. CVE-2024-4311 zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the cur… https://t.co/XRrPXdq4AJ

    @CVEnew

    14 Nov 2024

    280 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References