PT-2024-9681 · Lunary Ai · Lunary
Published
2024-10-29
·
Updated
2024-11-03
·
CVE-2024-7473
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
lunary-ai/lunary versions 1.3.2 through 1.4.2
Description
The issue is related to an IDOR vulnerability in the 'Evaluations' function of the 'umgws datasets' section. This vulnerability allows an authenticated user to update other users' prompts by manipulating the
id parameter in the request.Recommendations
For versions 1.3.2 through 1.4.2, update to version 1.4.3 to resolve the issue.
As a temporary workaround, consider restricting access to the 'Evaluations' function in the 'umgws datasets' section until the update is applied.
Avoid using the
id parameter in the affected request until the issue is resolved.Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lunary