CVE-2024-10273

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.5.0

Description The issue is related to improper privilege management in the models.ts file, which allows users with viewer roles to modify models owned by others. The "PATCH" endpoint for models lacks appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This could lead to unauthorized changes in critical resources, affecting the integrity and reliability of the system.

Recommendations For lunary-ai/lunary version 1.5.0, consider disabling the models.ts file or restricting access to the "PATCH" endpoint for models until a patch is available. Additionally, restrict the viewer role from modifying models to minimize the risk of exploitation.