CVE-2024-11137

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.6.0

Description An Insecure Direct Object Reference (IDOR) vulnerability exists in the "PATCH /v1/runs/:id/score" endpoint. This issue allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runId score in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users' runId scores by specifying different id values.

Recommendations For lunary-ai/lunary version 1.6.0, update to version 1.6.1 to resolve the issue. As a temporary workaround, consider restricting access to the "PATCH /v1/runs/:id/score" endpoint to prevent unauthorized modifications. Avoid using the id parameter in the affected endpoint until the issue is resolved.