CVE-2024-4151

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01
https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Configurations

No configuration.

History

21 Nov 2024, 09:42

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01 -~~	() https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01 -
Summary		(es) Existe una vulnerabilidad de control de acceso inadecuado en lunary-ai/lunary versión 1.2.2, donde los usuarios pueden ver y actualizar cualquier mensaje en cualquier proyecto debido a comprobaciones de control de acceso insuficientes en el manejo de solicitudes PATCH y GET para versiones de plantillas. Esta vulnerabilidad permite a usuarios no autorizados manipular o acceder a datos confidenciales del proyecto, lo que podría generar problemas de integridad y confidencialidad de los datos.

20 May 2024, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-20 15:15

Updated : 2024-11-21 09:42

NVD link : CVE-2024-4151

Mitre link : CVE-2024-4151

CVE.ORG link : CVE-2024-4151

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

8.3 /10