An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or project. The issue stems from improper access control checks in the dataset management endpoints, where direct references to object IDs are not adequately secured against unauthorized access. This vulnerability was fixed in version 1.2.25.
References
Link | Resource |
---|---|
https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f | Patch |
https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 | Exploit Issue Tracking Patch Third Party Advisory |
Configurations
History
03 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
23 Sep 2024, 15:11
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-639 | |
First Time |
Lunary
Lunary lunary |
|
References | () https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f - Patch | |
References | () https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 - Exploit, Issue Tracking, Patch, Third Party Advisory | |
CPE | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:16
Updated : 2024-11-03 17:15
NVD link : CVE-2024-5128
Mitre link : CVE-2024-5128
CVE.ORG link : CVE-2024-5128
JSON object : View
Products Affected
lunary
- lunary
CWE
CWE-639
Authorization Bypass Through User-Controlled Key