Software Engineering

Security Advisory: Important Update for ZenML Pro Users

ZenML Team
Sep 1, 2024
1 min
All posts
ZenML
Contents
Related Posts
How to painlessly deploy your ML models with ZenML
How to painlessly deploy your ML models with ZenML
CVE-2024-25723: Critical Security Update for ZenML users
CVE-2024-25723: Critical Security Update for ZenML users
All Continuous, All The Time: Pipeline Deployment Patterns with ZenML
All Continuous, All The Time: Pipeline Deployment Patterns with ZenML
This is also a heading
This is a heading
Security Advisory: Important Update for ZenML Pro Users

The ZenML team has addressed a security finding in ZenML Pro's role management system, reported by JFrog Security Research team. This update provides important information for users regarding role-based access controls and recommended actions.

Vulnerability Details

The vulnerability exists in ZenML Pro's role management system and could allow a user with low-privilege tenant access to escalate their permissions to full admin privileges on the affected tenant. This occurs due to inconsistencies between organization-level and tenant-level role management.

Impact:

  • Unauthorized elevation of privileges from viewer to admin role within a tenant
  • Potential access to sensitive tenant resources and configurations
  • Ability to modify or access unauthorized components within the affected tenant

Technical Description

The vulnerability stems from a logical flaw in the role creation API endpoint. When creating a new role, the system does not properly validate the relationship between the organization ID and tenant-specific scope permissions. This allows an attacker to:

  1. Create a role in their own organization
  2. Specify permissions scoped to a tenant from another organization
  3. Assign themselves elevated privileges on the unauthorized tenant

Current Status

  • ✅ All ZenML Pro instances have been automatically patched
  • ✅ No user action is required
  • ✅ The fix has been deployed across all environments

Impact

There is no action required from users. All ZenML Pro instances are protected against this vulnerability.

Disclosure Timeline

  • April 20, 2024: Initial vulnerability report received from JFrog Security Research team
  • April 20, 2024: Vulnerability confirmed and patch development initiated
  • April 23, 2024: Security patch deployed to all ZenML Pro instances

Credit

This vulnerability was discovered and responsibly disclosed by Shachar Menashe, Senior Director of Security Research at JFrog. The ZenML team appreciates JFrog's commitment to responsible disclosure and collaboration in resolving this security issue. Read JFrog's full report here.

Additional Information

For technical support or to report additional security concerns, please contact the ZenML security team at security@zenml.io.

This advisory will be updated if additional information becomes available.

Looking to Get Ahead in MLOps & LLMOps?

Subscribe to the ZenML newsletter and receive regular product updates, tutorials, examples, and more articles like this one.
We care about your data in our privacy policy.