AI PRP: zenml-io/zenml weak credentials

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.

Apache License 2.0

872 stars 176 forks source link

AI PRP: zenml-io/zenml weak credentials #444

Closed secureness closed 4 weeks ago

secureness commented 6 months ago

zenml is a well-known open-source project for production-ready MLOps pipelines.

it contains a dashboard which contains default credentials ( default/emptyPass ).

maoning commented 6 months ago

@secureness Thanks for the report, I'm putting it in the queue for now. Let's prioritize on getting the active one you are working on merged first. Then you can pick up this one.

tooryx commented 4 months ago

Hi @secureness ,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

maoning commented 4 months ago

@secureness If weak credential testing requires custom fingerprinting against the web service, please add the fingerprinting logic similar to https://github.com/google/tsunami-security-scanner-plugins/blob/e7cbb377445c80ed12e33077e3c4aacf4abcbe26/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinter.java#L283. This would ensure that the service is correctly identified & labelled in the vulnerability reporting.

secureness commented 4 months ago

PR: https://github.com/google/tsunami-security-scanner-plugins/pull/491 testbeds: https://github.com/google/security-testbeds/pull/57

tooryx commented 2 months ago

Hi @secureness,

You should receive the reward message soon.

~tooryx