mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-06-01 03:01:36 +00:00
63 lines
2.7 KiB
JSON
63 lines
2.7 KiB
JSON
{
|
|
"id": "CVE-2024-1665",
|
|
"sourceIdentifier": "security@huntr.dev",
|
|
"published": "2024-04-16T00:15:10.150",
|
|
"lastModified": "2024-04-16T13:24:07.103",
|
|
"vulnStatus": "Awaiting Analysis",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint '/v1/evaluations' does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "lunary-ai/lunary versi\u00f3n 1.0.0 es vulnerable a la creaci\u00f3n de evaluaciones no autorizadas debido a que faltan verificaciones del lado del servidor para el estado de la cuenta de usuario durante la creaci\u00f3n de la evaluaci\u00f3n. Si bien la interfaz de usuario web restringe la creaci\u00f3n de evaluaciones a cuentas pagas, el endpoint API del lado del servidor '/v1/evaluations' no verifica si el usuario tiene una cuenta paga, lo que permite a los usuarios con cuentas gratuitas o autohospedadas crear evaluaciones ilimitadas sin actualizar su cuenta. Esta vulnerabilidad se debe a la falta de validaci\u00f3n del estado de la cuenta en el proceso de creaci\u00f3n de la evaluaci\u00f3n."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV30": [
|
|
{
|
|
"source": "security@huntr.dev",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.0",
|
|
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.3,
|
|
"baseSeverity": "MEDIUM"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 1.4
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "security@huntr.dev",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-770"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54",
|
|
"source": "security@huntr.dev"
|
|
},
|
|
{
|
|
"url": "https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83",
|
|
"source": "security@huntr.dev"
|
|
}
|
|
]
|
|
} |