CVE-2024-2260 — zenml Session Fixation vulnerability

Description

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.

How to fix CVE-2024-2260

To remediate CVE-2024-2260, upgrade the affected package to a fixed version below.

PyPI/zenml—upgrade to 0.56.2 or later
—upgrade to 68bcb3ba60cba9729c9713a49c39502d40fb945e or later

Is CVE-2024-2260 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.56.2
from 0, < 68bcb3ba60cba9729c9713a49c39502d40fb945e, < 68bcb3ba60cba9729c9713a49c39502d40fb945e | from 0, < 0.56.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-g3r5-72hf-p7p2
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-2260
PATCHgithub.com/zenml-io/zenml
WEBgithub.com/pypa/advisory-database/tree/main/vulns/zenml/PYSEC-2024-254.yaml