Detections
Analytics
ZenML Insufficient Session Expiration
low Web App Scanning Plugin ID 114937
Language:
Synopsis
ZenML Insufficient Session ExpirationDescription
According to its banner, the version of BentoML running on the remote host is 1.4.x < 1.4.8. It is, therefore, affected by a Server-Side Request Forgery (SSRF) vulnerability in File Upload Processing. "According to its banner, the version of ZenML hosted on the remote is, affected by an Insufficient Session Expiration.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Restricting access to ZenML.See Also
https://huntr.com/bounties/c88f6bd2-490d-4930-98dd-03651b20230a
Plugin Details
Severity: Low
ID: 114937
Type: remote
Family: Artificial Intelligence
Published: 8/5/2025
Updated: 8/5/2025
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-4680
CVSS v3
Risk Factor: High
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-4680
CVSS v4
Risk Factor: Low
Base Score: 2
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score Source: CVE-2024-4680
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 6/7/2024
Reference Information
CVE: CVE-2024-4680
CWE: 613
OWASP: 2010-A3, 2013-A2, 2017-A2, 2021-A7
WASC: Insufficient Session Expiration
CAPEC: 60
DISA STIG: APSC-DV-001980
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SC-23(1)
OWASP API: 2019-API2, 2023-API2
OWASP ASVS: 4.0.2-3.3.1
PCI-DSS: 3.2-3.6.4