CVE-2024-7456

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version v1.4.2

Description A SQL injection vulnerability exists in the "/api/v1/external-users" route. The order by clause of the SQL query uses sql.unsafe without prior sanitization, allowing for SQL injection. The orderByClause variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.

Recommendations For lunary-ai/lunary version v1.4.2, as a temporary workaround, consider disabling the /api/v1/external-users route until a patch is available. Restrict access to this route to minimize the risk of exploitation. Avoid using the orderByClause variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.