CVE-2024-7473 - An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary

CVE-2024-7473

Summary

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.

References

https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5
https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa

Vulnerable Configurations

cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*

CVSS

Base:	None
Impact:
Exploitability:

CWE

CWE-639

CAPEC

Access

Vector	Complexity	Authentication

Impact

Confidentiality	Integrity	Availability

Last major update

03-11-2024 - 17:15

Published

29-10-2024 - 13:15

Last modified

03-11-2024 - 17:15