Miggo Logo

CVE-2024-5389: lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

9.3

CVSS Score
3.1

Basic Information

EPSS Score
0.28941%
Published
6/10/2024
Updated
11/25/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lunarynpm< 1.4.91.4.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple CRUD handlers in the datasets API endpoint that failed to properly validate() project ownership through JOINs with the dataset table. The commit fixes show consistent pattern of adding 'd.project_id = ${projectId}' checks across all operations. Each vulnerable function corresponds to an API route that previously executed SQL queries without proper authorization context, allowing cross-organization dataset manipulation. The frontend changes are unrelated to the access control issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Wit**r*wn: T*is **visory w*s in*orr**tly link** t** t** npm p**k*** `lun*ry`. T** **visory is v*li*, *ut not *or t**t p**k***. In lun*ry-*i/lun*ry v*rsion *.*.**, *n insu**i*i*nt *r*nul*rity o* ****ss *ontrol vuln*r**ility *llows us*rs to *r**t*, up

Reasoning

T** vuln*r**ility st*ms *rom multipl* *RU* **n*l*rs in t** **t*s*ts *PI *n*point t**t **il** to prop*rly `v*li**t*()` proj**t own*rs*ip t*rou** JOINs wit* t** **t*s*t t**l*. T** *ommit *ix*s s*ow *onsist*nt p*tt*rn o* ***in* '*.proj**t_i* = ${proj**t