CVE-2024-4460

Name of the Vulnerable Software and Affected Versions zenml-io/zenml version 0.56.3

Description A denial of service issue exists due to improper handling of line feed ( ) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a character, it leads to uncontrolled resource consumption. This results in the inability of users to add new components in certain categories and to register new stacks through the UI, degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as characters are properly escaped in that context.

Recommendations For zenml-io/zenml version 0.56.3, as a temporary workaround, consider restricting access to the api/v1/workspaces/default/components API endpoint to prevent low-privileged users from adding components with names containing characters until a patch is available. Avoid using the name parameter in the affected API endpoint with values containing characters. At the moment, there is no information about a newer version that contains a fix for this vulnerability.