CVE-2024-4151

HIGH

lunary < 1.2.25 - Unauthenticated Authorization Bypass via Template Version Request Handling

Title source: llm

Description

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Patch

https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf

Scores

CVSS v3 8.1

EPSS 0.0039

EPSS Percentile 30.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

lunary/lunary < 1.2.25

Published May 20, 2024

Tracked Since Feb 18, 2026