CVE-2024-2032

Description

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications.

CVSS v3.1 Score

3.1

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

Weakness Type (CWE)

CWE-366 CWE-366

CWE-362 CWE-362

Affected Products

Vendor	Product	Versions
zenml	zenml	< 0.55.5

References

Advisories & Patches

https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b https://github.com/zenml-io/zenml/commit/afcaf741ef9114c9b32f722f101b97de3d8d147b

Other References

https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56 https://huntr.com/bounties/6199cd5d-611f-4ea9-96c5-52a952ba5a56

Frequently Asked Questions

What is CVE-2024-2032? +

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, where it could lead to further complications. It has a CVSS v3.1 base score of 3.1 (LOW).

How severe is CVE-2024-2032? +

CVE-2024-2032 has a CVSS v3.1 score of 3.1 out of 10, rated LOW. This is a low-severity vulnerability with limited impact.

What products are affected by CVE-2024-2032? +

CVE-2024-2032 affects products from zenml, specifically: zenml. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-2032? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder …

CVE-2025-58143 9.8

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple …

CVE-2024-10630 7.8

A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application …

CVE-2024-6778 7.5

Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious …

CVE-2024-2083 9.9

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by …

CVE-2024-4680 8.8

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session …