Privilege Escalation in User Account Management
A vulnerability in zenml-io/zenml versions up to and including 0.56.3 allows regular users to escalate their privileges to that of a service account. This issue was patched in version 0.57.0.
Available publicly on Jun 10 2024 | Available with Premium on May 16 2024
Threat Overview
The vulnerability arises from an incorrect privilege assignment mechanism within the zenml user management system. Specifically, it allows authenticated users to modify their account details to flag their account as a 'service account' through a crafted HTTP PUT request. This flaw effectively grants regular users the ability to elevate their privileges within the system, bypassing intended security controls and gaining unauthorized access to functionalities or data reserved for service accounts.
Attack Scenario
An attacker, after gaining access to the system as a regular user, crafts a malicious HTTP PUT request targeting the '/api/v1/current-user' endpoint. This request includes parameters to change the user's password and set the 'is_service_account' flag to true. Upon successful execution, the attacker's user account is elevated to a service account, granting them higher privileges and access rights within the application.
Who is affected
All users of zenml-io/zenml versions 0.56.3 and below are affected by this vulnerability. Specifically, systems where regular users can access and send crafted requests to the application's backend are at risk of unauthorized privilege escalation.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.