4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-6867

GHSA ID

GHSA-9jmp-j63g-8x6m

EPSS Score

0.25069%

CWE

CWE-1220

Published

9/13/2024

Updated

9/13/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6867

CVE-2024-6867: Lunary information disclosure vulnerability

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id of a public or non-public run.

(GitHub Advisory)

4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-6867

GHSA ID

GHSA-9jmp-j63g-8x6m

EPSS Score

0.25069%

CWE

CWE-1220

Published

9/13/2024

Updated

9/13/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lunary	npm	< 1.4.10	1.4.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the route handler for the /runs/{id}/related endpoint. Analysis of the commit diff shows the original SQL query (lines 586-598) did not include 'project_id = ${projectId}' in the WHERE clause, allowing retrieval of runs from any project through parent_run_id relationships. The handler failed to properly scope results to the user's authorized project, violating access control requirements. The confidence is high as the fix explicitly adds project_id validation to constrain results.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orm*tion *is*losur* vuln*r**ility *xists in t** lun*ry-*i/lun*ry, sp**i*i**lly in t** `runs/{run_i*}/r*l*t**` *n*point. T*is *n*point *o*s not v*ri*y t**t t** us*r **s t** n***ss*ry ****ss ri**ts to t** run(s) t**y *r* ****ssin*. *s * r*sult, i

Reasoning

T** vuln*r**ility st*ms *rom t** rout* **n*l*r *or t** /runs/{i*}/r*l*t** *n*point. *n*lysis o* t** *ommit *i** s*ows t** ori*in*l SQL qu*ry (lin*s ***-***) *i* not in*lu** 'proj**t_i* = ${proj**tI*}' in t** W**R* *l*us*, *llowin* r*tri*v*l o* runs *

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-6867: Lunary information disclosure vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI