CVE-2024-1666

In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54
https://huntr.com/bounties/0f310501-b5b0-4be0-ae38-d6b836f71ff0

Configurations

No configuration.

History

16 Apr 2024, 13:24

Type	Values Removed	Values Added
Summary		(es) En lunary-ai/lunary versión 1.0.0, existe una falla de autorización que permite la creación de radares no autorizados. La vulnerabilidad surge de la falta de comprobaciones del lado del servidor para verificar si un usuario tiene una cuenta gratuita durante el proceso de creación del radar, que sólo se aplica en la interfaz de usuario web. Como resultado, los atacantes pueden eludir el requisito de actualización de cuenta previsto enviando directamente solicitudes manipuladas al servidor, lo que permite la creación de una cantidad ilimitada de radares sin pago.

16 Apr 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-16 00:15

Updated : 2024-04-16 13:24

NVD link : CVE-2024-1666

Mitre link : CVE-2024-1666

CVE.ORG link : CVE-2024-1666

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10