CVE-2024-5128

An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or project. The issue stems from improper access control checks in the dataset management endpoints, where direct references to object IDs are not adequately secured against unauthorized access. This vulnerability was fixed in version 1.2.25.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:47

Type Values Removed Values Added
References () https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f - Patch () https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f - Patch
References () https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 - Exploit, Issue Tracking, Patch, Third Party Advisory () https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 - Exploit, Issue Tracking, Patch, Third Party Advisory

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-284

23 Sep 2024, 15:11

Type Values Removed Values Added
CWE CWE-639
First Time Lunary
Lunary lunary
References () https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f - () https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f - Patch
References () https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 - () https://huntr.com/bounties/11248071-11b2-42d9-991a-504bf2044332 - Exploit, Issue Tracking, Patch, Third Party Advisory
CPE cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 9.4
v2 : unknown
v3 : 8.8

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Se identificó una vulnerabilidad de referencia directa de objetos inseguros (IDOR) en lunary-ai/lunary, que afecta a las versiones hasta la 1.2.2 incluida. Esta vulnerabilidad permite a usuarios no autorizados ver, actualizar o eliminar cualquier dataset_prompt o dataset_prompt_variation dentro de cualquier conjunto de datos o proyecto. El problema surge de controles de acceso inadecuados en los endpoints de gestión de conjuntos de datos, donde las referencias directas a los ID de objetos no están adecuadamente protegidas contra el acceso no autorizado. Esta vulnerabilidad se solucionó en la versión 1.2.25.

06 Jun 2024, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:16

Updated : 2024-11-21 09:47


NVD link : CVE-2024-5128

Mitre link : CVE-2024-5128

CVE.ORG link : CVE-2024-5128


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-639

Authorization Bypass Through User-Controlled Key