lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint '/v1/evaluations' does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.
References
Configurations
No configuration.
History
16 Apr 2024, 13:24
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Apr 2024, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-16 00:15
Updated : 2024-04-16 13:24
NVD link : CVE-2024-1665
Mitre link : CVE-2024-1665
CVE.ORG link : CVE-2024-1665
JSON object : View
Products Affected
No product.
CWE
CWE-770
Allocation of Resources Without Limits or Throttling