CVE-2024-2083
Published: 16 April 2024
Summary
CVE-2024-2083 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Zenml Zenml. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 28.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016), Exfiltration via AI Inference API (AML.T0024).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1126
Vulnerability details
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises…
more
due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- ZenML is an open-source MLOps framework for building, managing, and deploying ML pipelines, including artifact stores for ML artifacts, steps, and logs, making it an AI/ML platform.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in /api/v1/steps endpoint enables arbitrary file reads from the local filesystem, facilitating data collection from local system (T1005), file and directory discovery (T1083), and exploitation of a public-facing web application (T1190).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.