CVE-2024-4151

May 20, 2024, 3:17 p.m.

8.3
High

Description

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

Product(s) Impacted

Product Versions
lunary-ai/lunary
  • ['1.2.2']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Tags

CWE-284
security@huntr.dev
2024-05-20
CVE-2024-4151

CVSS Score

8.3 / 10

CVSS Data - 3.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

    View Vector String

Timeline

Published: May 20, 2024, 3:15 p.m.
Last Modified: May 20, 2024, 3:17 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@huntr.dev

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.