CVE-2024-4311

Advisory

Affected versions of zenml-io/zenml before are vulnerable to Open Redirection (CWE-601). This vulnerability allows attackers to redirect users to malicious sites by manipulating the next parameter in the login functionality. The impact includes phishing attacks and unauthorized access to sensitive resources. The attack vector involves crafting requests with malicious next parameters to the /api/v1/current-user endpoint. Vulnerable functions include login in app_blueprint.py and get_redirect_url in helpers.py. To mitigate, upgrade to zenml-io/zenml the version which implements proper validation and handling of redirect URLs, preventing unauthorized redirections.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-j3vq-pmp5-r5xj
• https://github.com/zenml-io/zenml/commit/87a6c2c8f45b49ea83fbb5fe8fff7ab5365a60c9
• https://huntr.com/bounties/d5517e1a-6b94-4e38-aad6-3aa65f98bec2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4311