7.1

CVE-2024-9000

Exploit

EPSS 0.03%
Veröffentlicht 20.03.2025 10:09:25
Zuletzt bearbeitet 15.10.2025 13:15:56
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks. Additionally, the endpoint does not validate the uniqueness of the slug field when creating a new checklist, allowing an attacker to spoof existing checklists by reusing the slug of an already-existing checklist. This can lead to significant data integrity issues, as legitimate checklists can be replaced with malicious or altered data.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version1.4.26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.091

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security@huntr.dev	7.1	2.8	4.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://huntr.com/bounties/f5fca549-0a4a-4f64-8ccf-d4e108856da4

Third Party Advisory

Exploit

https://github.com/lunary-ai/lunary/commit/a02861ef9bb6ce860a35f7b8f178d58859cd85f0

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-9000

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9000

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9000

EUVD