A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in server-side requests. An attacker can exploit this vulnerability by sending a specially crafted request to the affected endpoint, allowing them to make unauthorized requests to internal or external resources. This could lead to the disclosure of sensitive information, service disruption, or further attacks against the network infrastructure. The issue affects the latest version of the application as of the report.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:53:58.528Z

Updated: 2024-08-01T21:11:12.429Z

Reserved: 2024-05-24T17:18:05.524Z

Link: CVE-2024-5328

cve-icon Vulnrichment

Updated: 2024-08-01T21:11:12.429Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:16:08.627

Modified: 2024-11-21T09:47:25.977

Link: CVE-2024-5328

cve-icon Redhat

No data.