cbcvebase.

Lunary-Ai Lunary vulnerabilities

71 known vulnerabilities affecting lunary-ai/lunary-ai_lunary.

Total CVEs
71
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH33MEDIUM28

Vulnerabilities

Page 3 of 4
CVE-2024-8763P3HIGHCVSS 7.5≥ unspecified, < 1.4.232025-03-20
CVE-2024-8763 [HIGH] CWE-1333 CVE-2024-8763: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary reposito A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to
nvd
CVE-2024-8998P3HIGHCVSS 7.5≥ unspecified, < 1.4.262025-03-20
CVE-2024-8998 [HIGH] CWE-1333 CVE-2024-8998: A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted user inputs. As a result, an attacker can cause the server to hang for an arb
nvd
CVE-2024-9096P3HIGHCVSS 7.1≥ unspecified, < 1.4.302025-03-20
CVE-2024-9096 [HIGH] CWE-862 CVE-2024-9096: In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify c In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project
nvd
CVE-2024-11300P3MEDIUMCVSS 6.5≥ unspecified, < 1.6.32025-03-20
CVE-2024-11300 [MEDIUM] CWE-639 CVE-2024-11300: In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a us In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by accessing specific URLs, leading to potential exposure of critical informatio
nvd
CVE-2024-5248P3MEDIUMCVSS 6.5≥ unspecified, < 1.4.92024-06-06
CVE-2024-5248 [MEDIUM] CWE-862 CVE-2024-5248: In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoi
nvd
CVE-2024-3760P3HIGHCVSS 7.5≥ unspecified, < 1.2.82024-11-14
CVE-2024-3760 [HIGH] CWE-770 CVE-2024-3760: In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, lea In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset emails. This not only overwhelms the victim's mailbox, making it difficult to ma
nvd
CVE-2024-9000P3MEDIUMCVSS 6.5≥ unspecified, < 1.4.262025-03-20
CVE-2024-9000 [MEDIUM] CWE-862 CVE-2024-9000: In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks. Additionally, the endpoint does not validate the uniqueness o
nvd
CVE-2024-10330P3MEDIUMCVSS 6.5≥ unspecified, < 1.5.72025-03-20
CVE-2024-10330 [MEDIUM] CWE-862 CVE-2024-10330: In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allow In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive evaluation data.
nvd
CVE-2024-5126P3MEDIUMCVSS 6.5≥ unspecified, < 1.2.252024-06-06
CVE-2024-5126 [MEDIUM] CWE-862 CVE-2024-5126: An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically wit An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update prompt details due to insufficient access control checks. This issue was add
nvd
CVE-2024-4148P3HIGHCVSS 7.5≥ unspecified, < 1.3.42024-06-01
CVE-2024-4148 [HIGH] CWE-1333 CVE-2024-4148: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary applicat A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the application and potentially render it completely non-functional. Specifically, the vu
nvd
CVE-2024-5131P3MEDIUMCVSS 6.5≥ unspecified, < 1.2.252024-06-06
CVE-2024-5131 [MEDIUM] CWE-639 CVE-2024-5131: An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versio An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not adequately verify the ownership of the prompt ID. This issue was fixed in versio
nvd
CVE-2024-1625P3MEDIUMCVSS 6.5≥ unspecified, < 1.0.12024-04-10
CVE-2024-1625 [MEDIUM] CWE-639 CVE-2024-1625: An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belo
nvd
CVE-2024-4147P3MEDIUMCVSS 6.5≥ unspecified, < 1.2.252026-02-02
CVE-2024-4147 [MEDIUM] CWE-1220 CVE-2024-4147: In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allo In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such
nvd
CVE-2024-11301P3MEDIUMCVSS 6.5≥ unspecified, < 1.6.32025-03-20
CVE-2024-11301 [MEDIUM] CWE-837 CVE-2024-11301: In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer v
nvd
CVE-2024-10274P3MEDIUMCVSS 6.5≥ unspecified, < 1.5.72025-03-20
CVE-2024-10274 [MEDIUM] CWE-862 CVE-2024-10274: An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This vulnerability can lead to the disclosure of sensitive information such as names, rol
nvd
CVE-2024-6867P3MEDIUMCVSS 6.5≥ unspecified, < 1.4.102024-09-13
CVE-2024-6867 [MEDIUM] CWE-1220 CVE-2024-6867: An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{r An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent r
nvd
CVE-2024-10273P3MEDIUMCVSS 6.5≥ unspecified, < 1.5.72025-03-20
CVE-2024-10273 [MEDIUM] CWE-863 CVE-2024-10273: In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with vi In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This vulnerability could lead to unauthorized c
nvd
CVE-2024-4154P3MEDIUMCVSS 6.5≥ unspecified, < 1.2.262024-05-21
CVE-2024-4154 [MEDIUM] CWE-639 CVE-2024-4154: In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged us In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This i
nvd
CVE-2024-3504P3MEDIUMCVSS 6.5≥ unspecified, < 1.2.72024-06-06
CVE-2024-3504 [MEDIUM] CWE-863 CVE-2024-3504: An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2 An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.
nvd
CVE-2024-7473P4MEDIUMCVSS 6.5≥ unspecified, < 1.4.32024-10-29
CVE-2024-7473 [MEDIUM] CWE-639 CVE-2024-7473: An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.
nvd
Lunary-Ai Lunary vulnerabilities | cvebase