CVE-2024-11301

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.6.3

Description The application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This enables an attacker to overwrite existing data by submitting a POST request to the API endpoint with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues, potentially resulting in corrupted data and malicious actions that impair the system's functionality.

Recommendations For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider implementing custom validation to enforce unique constraints on the combination of projectId and slug for evaluator creation. Restrict access to the evaluator creation API endpoint to minimize the risk of exploitation.