CVE-2024-10762

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/91587496673da24cb7ddedfbbd6e602592b20ef6	Patch
https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-07-02 19:47

NVD link : CVE-2024-10762

Mitre link : CVE-2024-10762

CVE.ORG link : CVE-2024-10762

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-10762", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:19.753", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/91587496673da24cb7ddedfbbd6e602592b20ef6", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations."}, {"lang": "es", "value": "En lunary-ai/lunary, versiones anteriores a la 1.5.9, el endpoint /v1/evaluators/ permite a los usuarios eliminar evaluadores de un proyecto mediante una solicitud DELETE. Sin embargo, la ruta carece de un control de acceso adecuado, como middleware, para garantizar que solo los usuarios con los roles adecuados puedan eliminar los datos de los evaluadores. Esta vulnerabilidad permite a usuarios con pocos privilegios eliminar los datos de los evaluadores, lo que provoca una p\u00e9rdida permanente de datos y podr\u00eda dificultar las operaciones."}], "lastModified": "2025-07-02T19:47:49.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB5D7939-E0EA-40E5-A0FA-DA4ABD363F2E", "versionEndExcluding": "1.5.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}