id: CVE-2024-25723

info:
  name: ZenML ZenML Server - Improper Authentication
  author: David Botelho Mariano
  severity: critical
  description: |
    ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body.
  impact: |
    Successful exploitation could lead to unauthorized access to sensitive data.
  remediation: |
    Implement proper authentication mechanisms and ensure access controls are correctly configured.
  reference:
    - https://www.zenml.io/blog/critical-security-update-for-zenml-users
    - https://github.com/zenml-io/zenml
    - https://github.com/zenml-io/zenml/compare/0.42.1...0.42.2
    - https://github.com/zenml-io/zenml/compare/0.43.0...0.43.1
    - https://github.com/zenml-io/zenml/compare/0.44.3...0.44.4
  classification:
    epss-score: 0.00045
    epss-percentile: 0.15096
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-2028554187
    fofa-query: body="ZenML"
  tags: cve,cve2024,passive,auth-bypass,zenml

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/info"

    matchers:
      - type: dsl
        dsl:
          - "compare_versions(version, '< 0.46.7')"
          - "!contains_any(version, '0.44.4', '0.43.1', '0.42.2')"
          - "contains_all(body, 'deployment_type', 'database_type')"
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - '"version":"(.*?)"'
        internal: true
# digest: 4b0a00483046022100e91e5c8905a28ff8574f46555def47ed93497e70f8ad7639c87575d09c27d4c902210089872c34c9e30a09e440c3b9d994ba1a0453d9435cb0048c67edffa918074edb:922c64590222798bb761d5b6d8e72950