CVE-2024-9000

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.4.26

Description The issue concerns a lack of access control in the checklists.post() endpoint, allowing users to create or modify checklists without proper permission checks. This enables unauthorized users to create checklists, bypassing intended permissions. Furthermore, the endpoint fails to validate the uniqueness of the slug field when creating a new checklist, permitting an attacker to spoof existing checklists by reusing the slug of an already-existing checklist. This can lead to significant data integrity issues, as legitimate checklists can be replaced with malicious or altered data.

Recommendations For versions prior to 1.4.26, update to version 1.4.26 or later to resolve the issue. As a temporary workaround, consider disabling the checklists.post() endpoint until a patch is available. Restrict access to the checklists.post() endpoint to minimize the risk of exploitation. Avoid using the slug field in the affected endpoint until the issue is resolved.