search

zenml-io / zenml

ZenML 🙏: The bridge between ML and Ops. https://zenml.io.
https://zenml.io
Apache License 2.0
4.07k stars 437 forks source link

[BUG]: Rate limiting Vulnerability #2480

Closed rook1337 closed 8 months ago

rook1337 commented 8 months ago

Contact Details [Optional]

No response

System Information

Linux

What happened?

Hello team, Please check here for full detailed report:- https://huntr.com/bounties/0674977f-5fd0-4af6-b4d1-40186a6a4da7/

Reproduction steps

1. 2. 3. ...

Relevant log output

No response

Code of Conduct

stefannica commented 8 months ago

As explained in the attached report, the ZenML built-in username + password authentication scheme is not meant to be used in production environments. For production settings, ZenML needs to be hooked up to an external authenticator that takes on the responsibilities of implementing more secure authentication schemes and enforcing best security practices like rate limiting, password strength and expiration etc.