CVE-2024-4153 in lunaryinfo

Summary

by MITRE • 05/22/2024

A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Reservation

04/24/2024

Disclosure

05/22/2024

Moderation

revoked

Entry

VDB-265906

CPE

ready

CWE

CWE-475 (confirmed)

CVSS

4.3 (CNA)

EPSS

0.00000

KEV

Activities

very low

Sector

Finance, Insurance, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2024-4153
NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-4153
CVE Details	https://www.cvedetails.com/cve/CVE-2024-4153/

◂ Previous Overview Next ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!