CVE-2024-6862

CVSS V2 None CVSS V3 None

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

Overview

CVE ID
CVE-2024-6862

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-09-13T16:13:51.639Z

Last Modified Date
2024-09-13T16:35:41.728Z

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f
https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-6862
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6862

History

Created	Old Value	New Value	Data Type	Notes
2024-09-14 13:09:25				Added to TrackCVE