CVE-2024-1666

Exploit

EPSS 0.09%
Veröffentlicht 16.04.2024 00:15:10
Zuletzt bearbeitet 10.01.2025 14:34:01
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version < 1.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.255

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Patch

https://huntr.com/bounties/0f310501-b5b0-4be0-ae38-d6b836f71ff0

Patch

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-1666

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1666

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1666

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1666