Insufficient Session Expiration After Password Reset
A vulnerability in ZenML version 0.56.3 allows attackers to reuse old session credentials or session IDs after a password change. This issue, identified as insufficient session expiration, was not patched in the reported version but was discovered in a self-hosted ZenML deployment via Docker.
Available publicly on Jun 08 2024
Remediation Steps
- Update ZenML to a version where this vulnerability is patched.
- Implement session invalidation upon password reset within the application's authentication logic.
- Regularly review and update session management policies to ensure they comply with security best practices.
- Educate users on the importance of securing their sessions and the potential risks of shared or public computers.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.