Описание
In lunary-ai/lunary version 1.5.6, the /v1/evaluators/ endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive evaluation data.
Ссылки
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.5.7 (исключая)
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
EPSS
Процентиль: 28%
0.00099
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-862
Связанные уязвимости
CVSS3: 6.5
github
11 месяцев назад
In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive evaluation data.
EPSS
Процентиль: 28%
0.00099
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-862