npm package
lunary
pkg:npm/lunary
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6862 | — | < 1.4.10 | 1.4.10 | Sep 13, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main atta | ||
| CVE-2024-6867 | — | < 1.4.10 | 1.4.10 | Sep 13, 2024 | An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specifi | ||
| CVE-2024-6087 | — | < 1.4.9 | 1.4.9 | Sep 13, 2024 | An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to com | ||
| CVE-2024-6582 | — | < 1.4.9 | 1.4.9 | Sep 13, 2024 | A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthor | ||
| CVE-2024-5389 | — | < 1.4.9 | 1.4.9 | Jun 9, 2024 | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the own | ||
| CVE-2024-4146 | — | < 1.2.26 | 1.2.26 | Jun 8, 2024 | In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` meth | ||
| CVE-2024-5478 | — | <= 1.2.7 | — | Jun 6, 2024 | A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before in |
- CVE-2024-6862Sep 13, 2024affected < 1.4.10fixed 1.4.10
A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main atta
- CVE-2024-6867Sep 13, 2024affected < 1.4.10fixed 1.4.10
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specifi
- CVE-2024-6087Sep 13, 2024affected < 1.4.9fixed 1.4.9
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to com
- CVE-2024-6582Sep 13, 2024affected < 1.4.9fixed 1.4.9
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthor
- CVE-2024-5389Jun 9, 2024affected < 1.4.9fixed 1.4.9
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the own
- CVE-2024-4146Jun 8, 2024affected < 1.2.26fixed 1.2.26
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` meth
- CVE-2024-5478Jun 6, 2024affected <= 1.2.7
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before in