CVE-2024-6862

Exploit

EPSS 0.33%
Veröffentlicht 13.09.2024 17:15:13
Zuletzt bearbeitet 19.09.2024 18:37:20
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version1.2.34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.557

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
security@huntr.dev	7.4	2.8	4	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54

Patch

https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-6862

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6862

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6862

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6862