CVE-2024-2083 — Directory traversal in zenml

Description

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.

How to fix CVE-2024-2083

To remediate CVE-2024-2083, upgrade the affected package to a fixed version below.

—upgrade to 0.55.5 or later
—upgrade to 0.55.5 or later

Is CVE-2024-2083 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.55.5
from 0, < 0.55.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (6)

ADVISORYgithub.com/advisories/GHSA-6h3f-43vq-53hj
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-2083
PATCHgithub.com/zenml-io/zenml
WEBgithub.com/pypa/advisory-database/tree/main/vulns/zenml/PYSEC-2024-247.yaml