CVE-2024-11301

Summary

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

Affected Software

VendorProductVersion RangeStatus
lunary-ailunary-ai/lunaryunspecified < 1.6.3affected

Weaknesses

  • CWE-837: CWE-837 Improper Enforcement of a Single, Unique Action

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References