CVE-2024-9099

Exploit

EPSS 0.07%
Veröffentlicht 20.03.2025 10:10:37
Zuletzt bearbeitet 10.04.2025 15:42:18
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version1.4.29

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.213

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1230 Exposure of Sensitive Information Through Metadata

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.

https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc

Patch

https://huntr.com/bounties/ffb84fe8-3e60-4200-ac2d-1fd1e1c93e91

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-9099

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9099

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9099

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-9099