CVE-2024-5131

An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not adequately verify the ownership of the prompt ID. This issue was fixed in version 1.2.25.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-284

03 Oct 2024, 16:59

Type Values Removed Values Added
References () https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf - () https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf - Patch
References () https://huntr.com/bounties/52c129f2-114e-492f-aee8-32c78f75ac4f - () https://huntr.com/bounties/52c129f2-114e-492f-aee8-32c78f75ac4f - Exploit, Third Party Advisory
CWE CWE-639
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
First Time Lunary
Lunary lunary

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de control de acceso inadecuado en el repositorio lunary-ai/lunary, que afecta a las versiones hasta la 1.2.2 incluida. La vulnerabilidad permite a usuarios no autorizados ver cualquier mensaje en cualquier proyecto al proporcionar un ID de mensaje específico a un endpoint que no verifica adecuadamente la propiedad del ID de mensaje. Este problema se solucionó en la versión 1.2.25.

06 Jun 2024, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:16

Updated : 2024-11-03 17:15


NVD link : CVE-2024-5131

Mitre link : CVE-2024-5131

CVE.ORG link : CVE-2024-5131


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-639

Authorization Bypass Through User-Controlled Key