CVE-2024-7473

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*

History

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-269

31 Oct 2024, 15:11

Type Values Removed Values Added
References () https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa - () https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa - Patch
References () https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5 - () https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5 - Exploit, Third Party Advisory
Summary
  • (es) Existe una vulnerabilidad de IDOR en la función 'Evaluations' de la sección 'umgws datasets' en las versiones 1.3.2 de lunary-ai/lunary. Esta vulnerabilidad permite que un usuario autenticado actualice las solicitudes de otros usuarios manipulando el parámetro 'id' en la solicitud. El problema se solucionó en la versión 1.4.3.
First Time Lunary
Lunary lunary
CWE CWE-639
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*

29 Oct 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 13:15

Updated : 2024-11-03 17:15


NVD link : CVE-2024-7473

Mitre link : CVE-2024-7473

CVE.ORG link : CVE-2024-7473


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-639

Authorization Bypass Through User-Controlled Key