Sightline

Medium

zenml

Denial of Service via Component Name Injection

A Denial of Service (DoS) vulnerability was identified in ZenML version 0.56.3, allowing low-privileged users to disrupt the functionality of the ZenML Dashboard by injecting a newline character (`\n`) into component names through the API. This vulnerability was patched in version 0.57.1.

Available publicly on Jun 24 2024 | Available with Premium on May 15 2024

CVE:

CVE-2024-4460

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Credit:

sev-hack

Assess Detect

Premium

Remediate

Remediation Steps

Update ZenML to version 0.57.1 or later.
Validate and sanitize all inputs on the server side to ensure special characters like newline (\n) are properly escaped or rejected.
Implement strict access controls and privilege management to minimize the potential impact of such vulnerabilities.
Regularly audit and review code for potential injection vulnerabilities, especially in API endpoints handling user inputs.

Patch Details

Fixed Version: 0.57.1
Patch Commit: https://github.com/zenml-io/zenml/commit/164cc09032060bbfc17e9dbd62c13efd5ff5771b

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 452- related security advisories that are available with Sightline Premium.