CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-4151: Improper Access Control in lunary-ai/lunary

8.3 CVSS

Description

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

Classification

CVE ID: CVE-2024-4151

CVSS Base Severity: HIGH

CVSS Base Score: 8.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Products

Vendor: lunary-ai

Product: lunary-ai/lunary

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 26.28% (scored less or equal to compared to others)

EPSS Date: 2025-03-01 (when was this score calculated)

References

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01
https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf

Timeline