{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10762", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-11-04T04:22:12.757Z", "datePublished": "2025-03-20T10:09:35.139Z", "dateUpdated": "2025-03-20T18:37:15.812Z"}, "containers": {"cna": {"title": "Missing Authorization in lunary-ai/lunary", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:09:35.139Z"}, "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations."}], "affected": [{"vendor": "lunary-ai", "product": "lunary-ai/lunary", "versions": [{"version": "unspecified", "lessThan": "1.5.9", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6"}, {"url": "https://github.com/lunary-ai/lunary/commit/91587496673da24cb7ddedfbbd6e602592b20ef6"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862"}]}], "source": {"advisory": "23ab508e-d956-4861-b28f-0569d3b404a6", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T17:50:38.269743Z", "id": "CVE-2024-10762", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T18:37:15.812Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10762", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T17:50:38.269743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T17:50:39.736Z"}}], "cna": {"title": "Missing Authorization in lunary-ai/lunary", "source": {"advisory": "23ab508e-d956-4861-b28f-0569d3b404a6", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lunary-ai", "product": "lunary-ai/lunary", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.5.9", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6"}, {"url": "https://github.com/lunary-ai/lunary/commit/91587496673da24cb7ddedfbbd6e602592b20ef6"}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:09:35.139Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10762", "state": "PUBLISHED", "dateUpdated": "2025-03-20T18:37:15.812Z", "dateReserved": "2024-11-04T04:22:12.757Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2025-03-20T10:09:35.139Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB5D7939-E0EA-40E5-A0FA-DA4ABD363F2E", "versionEndExcluding": "1.5.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations."}, {"lang": "es", "value": "En lunary-ai/lunary, versiones anteriores a la 1.5.9, el endpoint /v1/evaluators/ permite a los usuarios eliminar evaluadores de un proyecto mediante una solicitud DELETE. Sin embargo, la ruta carece de un control de acceso adecuado, como middleware, para garantizar que solo los usuarios con los roles adecuados puedan eliminar los datos de los evaluadores. Esta vulnerabilidad permite a usuarios con pocos privilegios eliminar los datos de los evaluadores, lo que provoca una p\u00e9rdida permanente de datos y podr\u00eda dificultar las operaciones."}], "id": "CVE-2024-10762", "lastModified": "2025-07-02T19:47:49.677", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2025-03-20T10:15:19.753", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/lunary-ai/lunary/commit/91587496673da24cb7ddedfbbd6e602592b20ef6"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}