CVE-2024-4151

{"id": "CVE-2024-4151", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-05-20T15:15:08.510", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues."}, {"lang": "es", "value": " Existe una vulnerabilidad de control de acceso inadecuado en lunary-ai/lunary versi\u00f3n 1.2.2, donde los usuarios pueden ver y actualizar cualquier mensaje en cualquier proyecto debido a comprobaciones de control de acceso insuficientes en el manejo de solicitudes PATCH y GET para versiones de plantillas. Esta vulnerabilidad permite a usuarios no autorizados manipular o acceder a datos confidenciales del proyecto, lo que podr\u00eda generar problemas de integridad y confidencialidad de los datos."}], "lastModified": "2025-01-31T11:15:10.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84358D2A-36D0-4D73-8ED6-AAE4229717CB", "versionEndExcluding": "1.2.25"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}