CVE-2024-2032

Name of the Vulnerable Software and Affected Versions zenml-io/zenml versions up to and including 0.55.3

Description A race condition issue exists, allowing for the creation of multiple users with the same username when requests are sent in parallel. This is due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as the "PUT /api/v1/users/test race" endpoint, where it could lead to further complications.

Recommendations For versions up to and including 0.55.3, update to version 0.55.5 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint "PUT /api/v1/users/test race" to minimize the risk of exploitation.