Vulnerability Description
In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.7 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66ExploitIssue TrackingPatch
- https://huntr.com/bounties/0f310501-b5b0-4be0-ae38-d6b836f71ff0ExploitIssue TrackingPatch
- https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66ExploitIssue TrackingPatch
- https://huntr.com/bounties/0f310501-b5b0-4be0-ae38-d6b836f71ff0ExploitIssue TrackingPatch
FAQ
What is CVE-2024-1666?
CVE-2024-1666 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free ac...
How severe is CVE-2024-1666?
CVE-2024-1666 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1666?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.