Home > Vulnerability Database > CVE-2024-5389

Mend.io Vulnerability Database

CVE-2024-5389

Date: June 9, 2024

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

Language: TYPE_SCRIPT

Severity Score

8.1

Related Resources (6)

Url: https://github.com/lunary-ai/lunary

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-5389

Url: https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2

Url: https://github.com/lunary-ai/lunary-py

Url: https://github.com/lunary-ai/lunary/commit/35dd4af0001a54ccb14276a1546eb977f82c0c5e

Url: https://www.mend.io/vulnerability-database/CVE-2024-5389

Severity Score

8.1

Weakness Type (CWE)

Insufficient Granularity of Access Control

CWE-1220

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-5389

Date: June 9, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?