CVE-2024-4151

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

CVSS v3.0 8.1 HIGH

8.1^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf
https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01	Exploit Issue Tracking Patch Third Party Advisory
https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

31 Jan 2025, 11:15

Type	Values Removed	Values Added
References		() https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf -

10 Jan 2025, 14:38

Type	Values Removed	Values Added
CWE	~~CWE-284~~	CWE-639
First Time		Lunary Lunary lunary
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
CPE		cpe:2.3:a:lunary:lunary::::::::
References	~~() https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01 -~~	() https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01 - Exploit, Issue Tracking, Patch, Third Party Advisory

20 May 2024, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-20 15:15

Updated : 2025-01-31 11:15

NVD link : CVE-2024-4151

Mitre link : CVE-2024-4151

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

8.1 /10