CVE-2024-1738

Published: Apr 16, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.0

7.5

HIGH

Description

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.

Vendor	Product	Versions
lunary-ai	lunary-ai/lunary	affected `unspecified - < 1.2.4`

Weaknesses (CWE)

CWE-863

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://huntr.com/bounties/f68ef361-7a5d-4272-9c2f-414baf074309

https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-1738

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References