CVE-2024-11301

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd	Patch
https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

02 Jul 2025, 19:48

Type	Values Removed	Values Added
First Time		Lunary Lunary lunary
CPE		cpe:2.3:a:lunary:lunary::::::::
Summary		(es) En lunary-ai/lunary, versiones anteriores a la 1.6.3, la aplicación permite la creación de evaluadores sin imponer una restricción única en la combinación de projectId y slug. Esto permite a un atacante sobrescribir datos existentes al enviar una solicitud POST con el mismo slug que un evaluador existente. La falta de restricciones en la base de datos o validación en la capa de aplicación para evitar duplicados expone la aplicación a problemas de integridad de datos. Esta vulnerabilidad puede provocar la corrupción de datos y posibles acciones maliciosas, lo que afecta la funcionalidad del sistema.
References	~~() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd -~~	() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd - Patch
References	~~() https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861 -~~	() https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-02 19:48

NVD link : CVE-2024-11301

Mitre link : CVE-2024-11301

CVE.ORG link : CVE-2024-11301

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-837

Improper Enforcement of a Single, Unique Action

6.5 /10