CVE-2024-5389

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-5389

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5389

Published

2024-06-09T23:15:50.490Z

Modified

2025-11-20T12:31:21.779141Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

References

https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type: GIT
Repo: https://github.com/lunary-ai/lunary
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

d4c5133597e4e3a2b99a5ebc7a7ed1bcd60476d5

Affected versions

1.*

1.2.4

Other

test1

test2

vtest

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.2.1

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.2

v1.2.3

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5389.json"