Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-6862
Analyzed
More InfoOfficial Page
Source-security@huntr.dev
View Known Exploited Vulnerability (KEV) details
Published At-13 Sep, 2024 | 17:15
Updated At-19 Sep, 2024 | 18:37

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Secondary3.07.4HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CPE Matches
Lunary LLC
lunary
>>lunary>>1.2.34
cpe:2.3:a:lunary:lunary:1.2.34:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarysecurity@huntr.dev
CWE ID: CWE-352
Type: Primary
Source: security@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54security@huntr.dev
Patch
https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976fsecurity@huntr.dev
Exploit
Third Party Advisory
Hyperlink: https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f
Source: security@huntr.dev
Resource:
Exploit
Third Party Advisory
Change History
0Changes found
Details not found