// For flags

CVE-2024-5389

Insufficient Access Control in lunary-ai/lunary

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

En lunary-ai/lunary versión 1.2.13, una granularidad insuficiente de la vulnerabilidad de control de acceso permite a los usuarios crear, actualizar, obtener y eliminar variaciones rápidas para conjuntos de datos que no pertenecen a su organización. Este problema surge debido a que la aplicación no valida adecuadamente la propiedad de las solicitudes del conjunto de datos y sus variaciones con respecto a la organización o proyecto del usuario solicitante. Como resultado, pueden ocurrir modificaciones no autorizadas en las indicaciones del conjunto de datos, lo que lleva a modificaciones o eliminación de las indicaciones del conjunto de datos sin la autorización adecuada. Esta vulnerabilidad afecta la integridad y coherencia de la información del conjunto de datos, lo que podría afectar los resultados de los experimentos.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-25 CVE Reserved
  • 2024-06-09 CVE Published
  • 2024-08-01 CVE Updated
  • 2024-08-01 First Exploit
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-1220: Insufficient Granularity of Access Control
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2 2024-08-01
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Lunary
Search vendor "Lunary"
 Lunary
Search vendor "Lunary" for product "Lunary"
 1.2.13
Search vendor "Lunary" for product "Lunary" and version "1.2.13"
-
Affected