Insufficient Granularity of Access Control Vulnerability Affects Dataset Information Integrity
CVE-2024-5389

8.1HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 9 June 2024

What is CVE-2024-5389?

In version 1.2.13 of Lunary, a vulnerability related to insufficient granularity of access control allows users to create, update, get, and delete prompt variations for datasets they do not own. This flaw occurs because the application fails to validate dataset prompt ownership appropriately against the requesting user's organization or project. Consequently, unauthorized modifications can take place, leading to changes in dataset prompts that lack proper authorization. These alterations compromise the integrity and consistency of dataset information, which can adversely impact the outcomes of various experiments.

Affected Version(s)

lunary-ai/lunary <= unspecified

References

https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af2...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2024

Lunary-ai

What is CVE-2024-5389?

Affected Version(s)

References

CVSS V3.1

Timeline