9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-5389

GHSA ID

GHSA-3mwc-2cj7-gx8c

EPSS Score

0.28941%

CWE

CWE-1220

Published

6/10/2024

Updated

11/25/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5389

CVE-2024-5389: lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

Withdrawn: This advisory was incorrectly linked the the npm package lunary. The advisory is valid, but not for that package.

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

(GitHub Advisory)

9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-5389

GHSA ID

GHSA-3mwc-2cj7-gx8c

EPSS Score

0.28941%

CWE

CWE-1220

Published

6/10/2024

Updated

11/25/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lunary	npm	< 1.4.9	1.4.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from multiple CRUD handlers in the datasets API endpoint that failed to properly validate() project ownership through JOINs with the dataset table. The commit fixes show consistent pattern of adding 'd.project_id = ${projectId}' checks across all operations. Each vulnerable function corresponds to an API route that previously executed SQL queries without proper authorization context, allowing cross-organization dataset manipulation. The frontend changes are unrelated to the access control issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Wit**r*wn: T*is **visory w*s in*orr**tly link** t** t** npm p**k*** `lun*ry`. T** **visory is v*li*, *ut not *or t**t p**k***. In lun*ry-*i/lun*ry v*rsion *.*.**, *n insu**i*i*nt *r*nul*rity o* ****ss *ontrol vuln*r**ility *llows us*rs to *r**t*, up

Reasoning

T** vuln*r**ility st*ms *rom multipl* *RU* **n*l*rs in t** **t*s*ts *PI *n*point t**t **il** to prop*rly `v*li**t*()` proj**t own*rs*ip t*rou** JOINs wit* t** **t*s*t t**l*. T** *ommit *ix*s s*ow *onsist*nt p*tt*rn o* ***in* '*.proj**t_i* = ${proj**t

9.3

Basic Information

Concerned about an active attack path?

CVE-2024-5389: lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI