VYPR
← All advisories
Low severityNVD Advisory· Published Jun 6, 2024· Updated Aug 9, 2024

Stored XSS in zenml-io/zenml

CVE-2024-2171

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their accounts. The vulnerability affects version 0.55.3 and was fixed in version 0.56.2. The impact of exploiting this vulnerability could lead to user account compromise.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
zenmlPyPI
< 0.56.20.56.2

Affected products

1

Patches

1
68bcb3ba60cb

Prepare release 0.56.2 (#2564)

https://github.com/zenml-io/zenmlSafoine El KhabichMar 25, 2024via ghsa
commit
7 files changed · +53 29
  • pyproject.toml+1 1 modified
    @@ -1,6 +1,6 @@
 [tool.poetry]
 name = "zenml"
-version = "0.56.1"
+version = "0.56.2"
 packages = [{ include = "zenml", from = "src" }]
 description = "ZenML: Write production-ready ML code."
 authors = ["ZenML GmbH <info@zenml.io>"]
  • README.md+1 1 modified
    @@ -92,7 +92,7 @@
     <a href="https://github.com/zenml-io/zenml-projects">Projects Showcase</a>
     <br />
     <br />
-    🎉 Version 0.56.1 is out. Check out the release notes
+    🎉 Version 0.56.2 is out. Check out the release notes
     <a href="https://github.com/zenml-io/zenml/releases">here</a>.
     <br />
     <br />
  • RELEASE_NOTES.md+24 23 modified
    @@ -1,26 +1,14 @@
 <!-- markdown-link-check-disable -->
-# 0.56.1
+# 0.56.2
 
-This is a patch release aiming to solve a dependency problem which was brought in with the new rate 
-limiting functionality. With 0.56.1 you no longer need `starlette` to run client code or to 
-run ZenML CLI commands.
+This release replaces 0.56.0 and 0.56.1, and fixes the major migration bugs that were in
+that yanked release. Please upgrade directly to 0.56.2 and avoid upgrading to  
+0.56.0 to avoid unexpected migration issues.
 
-## 🥳 Community Contributions 🥳
-
-We'd like to thank @christianversloot for his contribution to this release.
-
-## What's Changed
-* Fix pipelines and model links for the cloud dashboard by @wjayesh in https://github.com/zenml-io/zenml/pull/2554
-* Make starlette non-must for client by @avishniakov in https://github.com/zenml-io/zenml/pull/2553
-* Bump MLFlow to version 2.11.2 by @christianversloot in https://github.com/zenml-io/zenml/pull/2552
-
-
-**Full Changelog**: https://github.com/zenml-io/zenml/compare/0.56.0...0.56.1
-
-# 0.56.0
-
-ZenML 0.56.0 introduces a wide array of new features, enhancements, and bug fixes,
-with a strong emphasis on elevating the user experience and streamlining machine
+Note that 0.56.0 and 0.56.1 were removed from PyPI due to an issue with the
+alembic versions + migration which could affect the database state. This release
+fixes that issue.
+This release introduces introduces a wide array of new features, enhancements, and bug fixes, with a strong emphasis on elevating the user experience and streamlining machine
 learning workflows. Most notably, you can now deploy models using Hugging Face inference endpoints thanks for an open-source community contribution of this model deployer stack component!
 
 This release also comes with a breaking change to the services
@@ -140,8 +128,7 @@ for their contribution to this release by adding a new attribute to the `Kaniko`
 Additionally, we'd like to thank @christianversloot for his contributions to this release.
 
 
-## All changes:
-
+## What's Changed
 * Upgrading SQLModel to the latest version by @bcdurak in https://github.com/zenml-io/zenml/pull/2452
 * Remove KServe integration by @safoinme in https://github.com/zenml-io/zenml/pull/2495
 * Upgrade migration testing with 0.55.5 by @avishniakov in https://github.com/zenml-io/zenml/pull/2501
@@ -182,12 +169,26 @@ Additionally, we'd like to thank @christianversloot for his contributions to thi
 * Update `pip check` command to use `uv` by @strickvl in https://github.com/zenml-io/zenml/pull/2520
 * Implemented bitbucket webhook event source by @AlexejPenner in https://github.com/zenml-io/zenml/pull/2481
 * Add ZenMLServiceType and update service registration by @safoinme in https://github.com/zenml-io/zenml/pull/2471
+* Prepare release 0.56.0 by @safoinme in https://github.com/zenml-io/zenml/pull/2546
+* Fix formatting and release workflow by @strickvl in https://github.com/zenml-io/zenml/pull/2549
+* Fix release workflow by @strickvl in https://github.com/zenml-io/zenml/pull/2550
+* Fix pipelines and model links for the cloud dashboard by @wjayesh in https://github.com/zenml-io/zenml/pull/2554
+* Make starlette non-must for client by @avishniakov in https://github.com/zenml-io/zenml/pull/2553
+* Bump MLFlow to version 2.11.2 by @christianversloot in https://github.com/zenml-io/zenml/pull/2552
+* Prepare release 0.56.1 by @avishniakov in https://github.com/zenml-io/zenml/pull/2555
+* Updated neptune documentation by @SiddhantSadangi in https://github.com/zenml-io/zenml/pull/2548
+* 0.56.0 and 0.56.1 in testing by @avishniakov in https://github.com/zenml-io/zenml/pull/2557
+* Only install uv once by @schustmi in https://github.com/zenml-io/zenml/pull/2558
+* Bump MLFlow to version 2.11.3 by @christianversloot in https://github.com/zenml-io/zenml/pull/2559
+* Update docs with warning about pickle materializer insecurity by @avishniakov in https://github.com/zenml-io/zenml/pull/2561
+* Add service table migration by @safoinme in https://github.com/zenml-io/zenml/pull/2563
 
 ## New Contributors
 * @dudeperf3ct made their first contribution in https://github.com/zenml-io/zenml/pull/2376
 * @moesio-f made their first contribution in https://github.com/zenml-io/zenml/pull/2509
+* @SiddhantSadangi made their first contribution in https://github.com/zenml-io/zenml/pull/2548
 
-**Full Changelog**: https://github.com/zenml-io/zenml/compare/0.55.5...0.56.0
+**Full Changelog**: https://github.com/zenml-io/zenml/compare/0.55.5...0.56.2
 
 # 0.55.5
  • src/zenml/VERSION+1 1 modified
    @@ -1 +1 @@
-0.56.1
\ No newline at end of file
+0.56.2
\ No newline at end of file
  • src/zenml/zen_server/deploy/helm/Chart.yaml+1 1 modified
    @@ -1,6 +1,6 @@
 apiVersion: v2
 name: zenml
-version: "0.56.1"
+version: "0.56.2"
 description: Open source MLOps framework for portable production ready ML pipelines
 keywords:
 - mlops
  • src/zenml/zen_server/deploy/helm/README.md+2 2 modified
    @@ -20,8 +20,8 @@ ZenML is an open-source MLOps framework designed to help you create robust, main
 To install the ZenML chart directly from Amazon ECR, use the following command:
 
 ```bash
-# example command for version 0.56.1
-helm install my-zenml oci://public.ecr.aws/zenml/zenml --version 0.56.1
+# example command for version 0.56.2
+helm install my-zenml oci://public.ecr.aws/zenml/zenml --version 0.56.2
 ```
 
 Note: Ensure you have OCI support enabled in your Helm client and that you are authenticated with Amazon ECR.
  • src/zenml/zen_stores/migrations/versions/0.56.2_release.py+23 0 added
    @@ -0,0 +1,23 @@
+"""Release [0.56.2].
+
+Revision ID: 0.56.2
+Revises: 0701da9951a0
+Create Date: 2024-03-25 14:49:49.021147
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = "0.56.2"
+down_revision = "0701da9951a0"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    """Upgrade database schema and/or data, creating a new revision."""
+    pass
+
+
+def downgrade() -> None:
+    """Downgrade database schema and/or data back to the previous revision."""
+    pass

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.