GHSA-3mwc-2cj7-gx8c

Suggest an improvement
Source
https://github.com/advisories/GHSA-3mwc-2cj7-gx8c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3mwc-2cj7-gx8c/GHSA-3mwc-2cj7-gx8c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3mwc-2cj7-gx8c
Aliases
  • CVE-2024-5389
Published
2024-06-10T00:30:39Z
Modified
2024-06-12T19:33:09.021052Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management
Details

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

References

Affected packages

PyPI / lunary

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.52a0
0.0.52a2
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.30
0.1.31
0.1.32
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.39
0.1.40
0.1.41
0.1.42
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47
0.1.48
0.1.49
0.1.50
0.1.51
0.1.52
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20a0
1.0.20
1.0.21
1.0.22
1.0.23a0
1.0.23a2
1.0.23a3
1.0.23a4
1.0.23a5
1.0.23a6
1.0.23a7
1.0.23
1.0.24
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30a0
1.0.30
1.0.31a0
1.0.31a2
1.0.31a3
1.0.31a4
1.0.31a5
1.0.31a6
1.0.31a7
1.0.31a8
1.0.31
1.0.32

Database specific

{
    "last_known_affected_version_range": "< 1.2.13"
}