CVE-2024-11301

CVSS v3.1

6.5

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.6.3

Description The application allows the creation of evaluators without enforcing a unique constraint on the combination of

projectId

and

slug

. This enables an attacker to overwrite existing data by submitting a POST request to the API endpoint with the same

slug

as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues, potentially resulting in corrupted data and malicious actions that impair the system's functionality.

Recommendations For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider implementing custom validation to enforce unique constraints on the combination of

projectId

and

slug

for evaluator creation. Restrict access to the evaluator creation API endpoint to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-837

Related Identifiers

CVE-2024-11301

Affected Products

Lunary

CVE-2024-11301

Weakness Enumeration

Related Identifiers

Affected Products

References · 6