CVE-2024-7474

HIGH

lunary < 1.3.4 - Unauthenticated Insecure Direct Object Reference via ID Parameter

Title source: llm

Description

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5

Exploit, Issue Tracking, Third Party Advisory

https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871

Scores

CVSS v3 8.1

EPSS 0.0048

EPSS Percentile 37.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-639

Status published

Products (1)

lunary/lunary < 1.3.4

Published Oct 29, 2024

Tracked Since Feb 18, 2026