Insufficient Granularity of Access Control Vulnerability Affects Dataset Information Integrity
CVE-2024-5389

8.1HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 9 June 2024

What is CVE-2024-5389?

In version 1.2.13 of Lunary, a vulnerability related to insufficient granularity of access control allows users to create, update, get, and delete prompt variations for datasets they do not own. This flaw occurs because the application fails to validate dataset prompt ownership appropriately against the requesting user's organization or project. Consequently, unauthorized modifications can take place, leading to changes in dataset prompts that lack proper authorization. These alterations compromise the integrity and consistency of dataset information, which can adversely impact the outcomes of various experiments.

Affected Version(s)

lunary-ai/lunary <= unspecified

References

https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af2...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2024

JSON

Lunary-ai

What is CVE-2024-5389?

Affected Version(s)

References

CVSS V3.1

Timeline