AVID-2026-R1405

Description

Directory Traversal in zenml-io/zenml (CVE-2024-2083)

Details

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the ‘logs’ URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.

Reason for inclusion in AVID: CVE-2024-2083 describes a directory traversal vulnerability in zenml-io/zenml affecting its API endpoint. This is a software vulnerability in an ML pipeline framework used in AI workflows, impacting components (the framework) used to build/deploy AI systems. It enables arbitrary file access, representing a security risk within the AI software stack. The issue clearly concerns software supply chain elements (dependencies/frameworks) for general-purpose AI systems, supported by the CVE details and references.

References

• NVD entry
• https://huntr.com/bounties/f24b2216-6a4b-42a1-becb-9b47e6cf117f
• https://github.com/zenml-io/zenml/commit/00e934f33a243a554f5f65b80eefd5ea5117367b

Affected or Relevant Artifacts

• Developer: zenml-io
• Deployer: zenml-io
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-16
• Version: 0.3.3
• AVID Entry