cbcvebase.
CVE-2024-4311
published 2024-11-14

CVE-2024-4311: zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can…

PriorityP430medium5.4CVSS 3.1
AVNACHPRLUIRSUCLINAH
EPSS
0.46%
36.3th percentile
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.

Affected

3 ranges
VendorProductVersion rangeFixed in
zenml-iozenml-io_zenml>= unspecified < 0.57.00.57.0
zenmlzenml
zenmlzenml>= 0 < 0.57.0rc20.57.0rc2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.