Описание
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id of a public or non-public run.
Ссылки
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:lunary:lunary:1.4.9:*:*:*:*:*:*:*
EPSS
Процентиль: 40%
0.00184
Низкий
4.3 Medium
CVSS3
6.5 Medium
CVSS3
Дефекты
CWE-1220
Связанные уязвимости
CVSS3: 4.3
github
больше 1 года назад
Withdrawn Advisory: Lunary information disclosure vulnerability
EPSS
Процентиль: 40%
0.00184
Низкий
4.3 Medium
CVSS3
6.5 Medium
CVSS3
Дефекты
CWE-1220