CVE-2024-2260 - OpenCVE

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/zenml-io/zenml/commit/68bcb3ba60cba9729c9713a49c39502d40fb945e
https://huntr.com/bounties/2d0856ec-ed73-477a-8ea2-d5d4f15cf167

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-16T00:00:14.951Z

Updated: 2024-07-03T21:04:22.816Z

Reserved: 2024-03-07T11:52:54.353Z

Link: CVE-2024-2260

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-16T00:15:11.237

Modified: 2024-04-16T13:24:07.103

Link: CVE-2024-2260

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2260", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-07T11:52:54.353Z", "datePublished": "2024-04-16T00:00:14.951Z", "dateUpdated": "2024-07-03T21:04:22.816Z"}, "containers": {"cna": {"title": "Session Fixation Vulnerability in zenml-io/zenml", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:45.359Z"}, "descriptions": [{"lang": "en", "value": "A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token."}], "affected": [{"vendor": "zenml-io", "product": "zenml-io/zenml", "versions": [{"version": "unspecified", "lessThan": "0.56.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/2d0856ec-ed73-477a-8ea2-d5d4f15cf167"}, {"url": "https://github.com/zenml-io/zenml/commit/68bcb3ba60cba9729c9713a49c39502d40fb945e"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-384 Session Fixation", "cweId": "CWE-384"}]}], "source": {"advisory": "2d0856ec-ed73-477a-8ea2-d5d4f15cf167", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "zenmlio", "product": "zenml", "cpes": ["cpe:2.3:a:zenmlio:zenml:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.56.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T17:33:53.794175Z", "id": "CVE-2024-2260", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T21:04:22.816Z"}}]}}