CVE-2024-1625
published 2024-04-10CVE-2024-1625: An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.44%
34.9th percentile
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lunary-ai | lunary-ai_lunary | >= unspecified < 1.0.1 | 1.0.1 |
| lunary | lunary | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa5.0MEDIUM
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
openstack-heat may disclose sensitive information
ghsa·2024-08-02·CVSS 5.0
CVE-2024-7319 [HIGH] CWE-200 openstack-heat may disclose sensitive information
openstack-heat may disclose sensitive information
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.
GHSA
GHSA-882m-54cg-63q7: An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0
ghsa_unreviewed·2024-04-10
CVE-2024-1625 [HIGH] CWE-639 GHSA-882m-54cg-63q7: An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.
Red Hat
openstack-heat: Incomplete fix for CVE-2023-1625
vendor_redhat·2024-07-31·CVSS 7.4
CVE-2024-7319 [HIGH] CWE-200 openstack-heat: Incomplete fix for CVE-2023-1625
openstack-heat: Incomplete fix for CVE-2023-1625
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.
Statement: While this flaw leaks a password, which could reduce confidentiality, integrity, and availability, the impact to this triad is rated Low. This is because OpenStack can not be more broadly compromised for two reasons:
a) The host has separate authorization authority from the guest
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-10
Published