CVE-2024-1738

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-1738
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1738.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-1738
Published
2024-04-16T00:15:10Z
Modified
2025-01-10T15:49:35.035405Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.

References

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type
GIT
Repo
https://github.com/lunary-ai/lunary
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.2.0
v0.2.1
v0.3.0
v0.3.1

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3