ZenML CVE-2024-4311: No Rate Limit in Password Change Leads to Account Takeover

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: No rate-limit in the password change function leads to Account Take Over in zenml-io/zenml - Vulnerability Type: CWE-770: Allocation of Resources Without Limits or Throttling - Vulnerability Severity: Medium (5.4) - Vulnerability Impact: Allows attackers to scan victims' passwords and potentially take over accounts. 2. Vulnerability Exploitation: - Exploitation Method: By exploiting the "Update Password" section in the password change function, attackers can perform brute-force attacks using large dictionaries to take over user accounts. - Exploitation Steps: 1. Log in to any account. 2. Navigate to "Settings > Personal Details" and focus on the "Update Password" section. 3. Enter any random password and click "Change Password". 4. Before sending the request to Intruder, the attacker intercepts the request. 5. In the "/api/v1/current-user" endpoint, select the position of the "old_password" parameter. 6. Add a password list to the Payload. 7. Start the attack: the attacker performs a brute-force attack. 8. Success! Password updated: Once Intruder successfully matches a password from the list, it updates the victim’s password, thereby gaining control of the account. 3. Vulnerability Impact: - Allows attackers to scan victims' passwords and potentially take over accounts. 4. Vulnerability Status: - Status: Fixed - Disclosure Bounty: $125 - Fix Bounty: $31.25 5. Vulnerability Discoverer: - Discoverer: Nhien.IT (@nhienit2010) - Discoverer Reputation: Lightweight 6. Vulnerability Fixer: - Fixer: Stefan Nica (@stefannica) - Fixer Reputation: Unproven 7. Vulnerability ID: - CVE ID: CVE-2024-4311 8. Affected Version: - Affected Version: 0.56.4 9. Vulnerability Publicity: - Publicity: Public 10. Vulnerability Report Status: - Report Status: Handled - Report Time: 7 months ago 11. Vulnerability Handling Process: - Handling Process: After the report was submitted, the team handled it within 24 hours; the fixer adjusted the severity, the maintainer confirmed the report, the fixer verified the vulnerability, the researcher received the disclosure bounty, the fixer received the fix bounty, the CVE ID was assigned, and the vulnerability was disclosed publicly. This information provides a detailed overview of the vulnerability’s nature, exploitation method, impact, status, and handling process, aiding in understanding the severity and remediation.

Goal Reached Thanks to every supporter — we hit 100%!

ZenML CVE-2024-4311: No Rate Limit in Password Change Leads to Account Takeover