CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3761 – Missing Authorization on Delete Datasets in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-3761
20 May 2024 — In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to dat... • https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1739 – Case Insensitive Email Address Validation Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1739
16 Apr 2024 — lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address by varying the case of the email characters. For example, accounts for 'abc@gmail.com' and 'Abc@gmail.com' can both be created, leading to potential impersonation and confusion among users. lunary-ai/lunary es vulnerable a un problem... • https://github.com/lunary-ai/lunary/commit/7351157a21e5acd0162b4528bcae9d65b1c95695 • CWE-821: Incorrect Synchronization •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1626 – IDOR Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1626
16 Apr 2024 — An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated u... • https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d58572bc • CWE-250: Execution with Unnecessary Privileges CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1738 – Incorrect Authorization in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1738
16 Apr 2024 — An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results. Existe una vulnerabilidad de autorización... • https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1666 – Unauthorized Radar Creation in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1666
16 Apr 2024 — In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment. En lunary-ai/lunary versión 1.0.0,... • https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1902 – Session Reuse Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1902
10 Apr 2024 — lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization's name even after being removed from the organization. This issue is due to incorrect synchronization and aff... • https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2 • CWE-821: Incorrect Synchronization •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1741 – Improper Authorization in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1741
10 Apr 2024 — lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data. lunary-ai/lunary versión 1.0.1 es vulnerabl... • https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1643 – Unauthorized Organization Access in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1643
10 Apr 2024 — By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissions when joining an organization. • https://github.com/lunary-ai/lunary/commit/67eaefe1c77c882c628780940c704a117b561d51 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1625 – IDOR Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1625
10 Apr 2024 — An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with... • https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bcec • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •