CVE-2024-4151

Published: May 20, 2024Modified: Jan 31, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

Affected (1)

Products: Lunary: Lunary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lunary Lunary	Before 1.2.25

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf

Source: security@huntr.dev

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Source: security@huntr.dev

ExploitIssue TrackingPatchThird Party Advisory

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.