Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Nng2LTR2NHgtMmZ4Oc4AA_iV
Lunary Cross-Site Request Forgery (CSRF) vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.
Permalink: https://github.com/advisories/GHSA-v6x6-4v4x-2fx9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Nng2LTR2NHgtMmZ4Oc4AA_iV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 days ago
Updated: 6 days ago
CVSS Score: 7.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-v6x6-4v4x-2fx9, CVE-2024-6862
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-6862
- https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54
- https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f
- https://github.com/advisories/GHSA-v6x6-4v4x-2fx9
Blast Radius: 1.0
Affected Packages
npm:lunary
Dependent packages: 0Dependent repositories: 0
Downloads: 28,564 last month
Affected Version Ranges: < 1.4.10
Fixed in: 1.4.10
All affected versions: 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.15, 0.6.16, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10
All unaffected versions: