Access Control Flaw in Lunary AI Affects Database Security
CVE-2024-9095
9.8CRITICAL
What is CVE-2024-9095?
An access control flaw has been identified in Lunary AI's API, specifically within the /bigquery route in version v1.4.28. This vulnerability allows any logged-in user to create a Datastream to Google BigQuery, potentially leading to unauthorized database exports. Sensitive data, including password hashes and API keys, can be exposed due to the lack of robust user authorization checks. Although there is a configuration check present, it fails to assess the user's access level appropriately. This oversight creates opportunities for data extraction, threatens service integrity, and raises concerns about the compromise of account credentials.
Affected Version(s)
lunary-ai/lunary < 1.4.30
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved