An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related
endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id
listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id
of a public or non-public run.
{ "nvd_published_at": "2024-09-13T17:15:13Z", "cwe_ids": [ "CWE-1220" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-13T19:34:16Z" }