CVE-2024-2035

Name of the Vulnerable Software and Affected Versions zenml-io/zenml version 0.55.3

Description An improper authorization issue exists in the zenml-io/zenml repository, specifically within the API "PUT /api/v1/users/id" endpoint. This issue allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false, effectively deactivating them. The impact of this issue is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

Recommendations For version 0.55.3, update to version 0.56.2 to resolve the issue. As a temporary workaround, consider restricting access to the "PUT /api/v1/users/id" endpoint to prevent unauthorized modifications to user accounts. Additionally, restrict the ability to change the active status of user accounts to only authorized personnel.