CVE-2024-7456

CVSS V2 None CVSS V3 None

Description

A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.

Overview

CVE ID
CVE-2024-7456

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-11-01T12:05:12.189Z

Last Modified Date
2024-11-01T13:19:19.973Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4
https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7456
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7456

History

Created	Old Value	New Value	Data Type	Notes
2024-11-02 13:25:28				Added to TrackCVE