ByteOS Network

NVD Vulnerability Details :

CVE-2024-11301

Analyzed

Source-security@huntr.dev

Published At-20 Mar, 2025 | 10:15

Updated At-02 Jul, 2025 | 19:48

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.0	6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Type: Secondary

Version: 3.0

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CPE Matches

Lunary LLC

>>lunary>>Versions before 1.6.3(exclusive)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-837	Primary	security@huntr.dev

CWE ID: CWE-837

Type: Primary

Source: security@huntr.dev

References

Hyperlink	Source	Resource
https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd	security@huntr.dev	Patch
https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861	security@huntr.dev	Exploit Third Party Advisory

Hyperlink: https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd

Source: security@huntr.dev

Resource:

Patch

Hyperlink: https://huntr.com/bounties/3d99aca5-b135-4833-b48b-7806bc4bf861

Source: security@huntr.dev

Resource:

Exploit

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History