%20(1).png)
We have identified a critical security vulnerability in ZenML versions prior to 0.46.7 which has been assigned the following CVE ID: CVE-2024-25723. This vulnerability potentially allows unauthorized users to take ownership of ZenML accounts through the user activation feature.
Affected Versions:
All ZenML versions below 0.46.7 are vulnerable, with the exception of the following patch versions: (0.44.4, 0.43.1, 0.42.2).
Vulnerability Details:
The issue lies in the /api/v1/users/{user_name_or_id}/activate REST API endpoint. An existing username, along with a new password provided in the request body, can be misused to gain unauthorized access.
Immediate Action Required:
We strongly urge all ZenML users to immediately upgrade to the latest version (0.46.7 or above) or one of the patched versions (0.44.4, 0.43.1, 0.42.2) to mitigate this risk.
How to Upgrade:
- For direct installations, use pip install "zenml==0.46.7" (or the respective patched version). (Note that the current latest version is 0.55.2, released last week.)
- For containerized or orchestrated environments, update your ZenML container image or deployment configuration to use the new version.
- Ensure that any automated deployment pipelines are also updated accordingly.
ZenML Cloud Users:
We have already patched ZenML Cloud versions to address this vulnerability. No action is required for ZenML Cloud users.
Further Assistance:
If you need help with the upgrade process or have any concerns, please don't hesitate to reach out to us on this Slack channel or via our support email at security@zenml.io. Our team is here to assist you.
