VYPR

Lunary

by Lunary AI

npm: lunary

CVEs (71)

  • CVE-2024-8764Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the server side. This can lead to a Denial of Service (DoS) condition, as certain regular expressions can cause excessive resource consumption, blocking…

  • CVE-2024-10762Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete…

  • CVE-2024-9000Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended…

  • CVE-2024-10275Mar 20, 2025
    risk 0.00cvss epss 0.00

    In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an…

  • CVE-2024-10274Mar 20, 2025
    risk 0.00cvss epss 0.01

    An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This…

  • CVE-2024-11137Mar 20, 2025
    risk 0.00cvss epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which…

  • CVE-2024-8763Mar 20, 2025
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression…

  • CVE-2024-8999Mar 20, 2025
    risk 0.00cvss epss 0.01

    lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or…

  • CVE-2024-10273Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should…

  • CVE-2024-9095Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is…

  • CVE-2024-3760Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset…

  • CVE-2024-3502Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me`…

  • CVE-2024-3501Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such…

  • CVE-2024-3379Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private…

  • CVE-2024-7472Oct 29, 2024
    risk 0.00cvss epss 0.00

    lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a…

  • CVE-2024-7473Oct 29, 2024
    risk 0.00cvss epss 0.00

    An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in…

  • CVE-2024-7474Oct 29, 2024
    risk 0.00cvss epss 0.00

    In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing…

  • CVE-2024-7475Oct 29, 2024
    risk 0.00cvss epss 0.01

    An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user…

  • CVE-2024-6862Sep 13, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main…

  • CVE-2024-6867Sep 13, 2024
    risk 0.00cvss epss 0.00

    An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…