CVE-2024-2035

{"id": "CVE-2024-2035", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2024-06-06T19:15:53.313", "references": [{"url": "https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-1220"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application."}, {"lang": "es", "value": "Existe una vulnerabilidad de autorizaci\u00f3n incorrecta en el repositorio zenml-io/zenml, espec\u00edficamente dentro del endpoint API PUT /api/v1/users/id. Esta vulnerabilidad permite que cualquier usuario autenticado modifique la informaci\u00f3n de otros usuarios, incluido cambiar el estado \"activo\" de las cuentas de usuario a falso, desactiv\u00e1ndolas efectivamente. Este problema afecta a la versi\u00f3n 0.55.3 y se solucion\u00f3 en la versi\u00f3n 0.56.2. El impacto de esta vulnerabilidad es significativo ya que permite la desactivaci\u00f3n de cuentas de administrador, lo que potencialmente altera la funcionalidad y seguridad de la aplicaci\u00f3n."}], "lastModified": "2024-06-07T14:56:05.647", "sourceIdentifier": "security@huntr.dev"}