Potential Account Takeover in ZenML due to Rate-Limiting Flaw
CVE-2024-4311
Currently unrated
What is CVE-2024-4311?
ZenML version 0.56.4 has a vulnerability that exposes users to account takeover risks because of insufficient rate-limiting controls in the password change functionality. Specifically, the '/api/v1/current-user' endpoint lacks restrictions on the number of password attempts, allowing attackers to brute-force the current password. If the vulnerability is exploited, the attacker can change the account password and gain unauthorized control over user accounts, posing a significant threat to account integrity and user data security.