SecuriTricks - CVE-2024-11301

Description

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

Product(s) Impacted

Vendor	Product	Versions
Lunary-ai	Lunary	<1.6.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-837

Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	lunary-ai	lunary	<1.6.3	/	/	/	/	/	/	/

References

https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd

https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861

CVSS Score

6.5 / 10

CVSS Data - 3.0

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

View Vector String

Timeline

Published: March 20, 2025, 10:15 a.m.
Last Modified: March 20, 2025, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

CVE-2024-11301