lunary-ai/lunary version 0.3.0 is vulnerable to unauthorized project creation due to insufficient server-side validation of user account types during project creation. In the free account tier, users are limited to creating only two projects. However, this restriction is enforced only in the web UI and not on the server side, allowing users to bypass the limitation and create an unlimited number of projects without upgrading their account or incurring additional charges. This vulnerability is due to the lack of checks in the project creation endpoint.
References
Configurations
No configuration.
History
10 Apr 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-10 17:15
Updated : 2024-04-10 19:49
NVD link : CVE-2024-1599
Mitre link : CVE-2024-1599
CVE.ORG link : CVE-2024-1599
JSON object : View
Products Affected
No product.
CWE
CWE-770
Allocation of Resources Without Limits or Throttling