An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or project. The issue stems from improper access control checks in the dataset management endpoints, where direct references to object IDs are not adequately secured against unauthorized access. This vulnerability was fixed in version 1.2.25.
History

Sun, 03 Nov 2024 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Sun, 03 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Lunary-ai
Lunary-ai lunary
CPEs cpe:2.3:a:lunary-ai:lunary:*:*:*:*:*:*:*:*
Vendors & Products Lunary-ai
Lunary-ai lunary
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 23 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lunary
Lunary lunary
Weaknesses CWE-639
CPEs cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
Vendors & Products Lunary
Lunary lunary
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:08:23.755Z

Updated: 2024-11-03T18:27:23.511Z

Reserved: 2024-05-19T17:50:17.519Z

Link: CVE-2024-5128

cve-icon Vulnrichment

Updated: 2024-08-01T21:03:10.715Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:16:04.323

Modified: 2024-11-21T09:47:01.963

Link: CVE-2024-5128

cve-icon Redhat

No data.