Zenml Application Vulnerable to Session Fixation Attacks
CVE-2024-2260

4.2MEDIUM

Key Information:

Vendor: Zenml-io
Status: Zenml-io/zenml
Vendor: CVE Published:; 16 April 2024

What is CVE-2024-2260?

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.

Affected Version(s)

zenml-io/zenml < 0.56.2

References

https://huntr.com/bounties/2d0856ec-ed73-477a-8ea2-d5d4f1...

https://github.com/zenml-io/zenml/commit/68bcb3ba60cba972...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Mar 7, 2024

CVE-2024-2260 Data

JSON

Zenml-io

What is CVE-2024-2260?

Affected Version(s)

References

CVSS V3.1

Timeline