Headline
GHSA-7gjr-hcc3-xfr4: Improper line feed handling in zenml
A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n
) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components
with a name containing a \n
character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., ‘Image Builder’) and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as \n
characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
GitHub Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-4460
Improper line feed handling in zenml
Moderate severity GitHub Reviewed Published Jun 24, 2024 to the GitHub Advisory Database • Updated Jun 24, 2024
Affected versions
< 0.57.1
Description
A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., ‘Image Builder’) and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as \n characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-4460
- zenml-io/zenml@164cc09
- https://huntr.com/bounties/a387c935-b970-44d7-bddc-71c1c90aa2de
Published to the GitHub Advisory Database
Jun 24, 2024
Last updated
Jun 24, 2024