Executive Summary

Informations
Name CVE-2024-9000 First vendor Publication 2025-03-20
Vendor Cve Last vendor Modification 2025-04-10

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Overall CVSS Score 6.5
Base Score 6.5 Environmental Score 6.5
impact SubScore 3.6 Temporal Score 6.5
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact High Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks. Additionally, the endpoint does not validate the uniqueness of the slug field when creating a new checklist, allowing an attacker to spoof existing checklists by reusing the slug of an already-existing checklist. This can lead to significant data integrity issues, as legitimate checklists can be replaced with malicious or altered data.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9000

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-285 Improper Access Control (Authorization)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://github.com/lunary-ai/lunary/commit/a02861ef9bb6ce860a35f7b8f178d58859...
https://huntr.com/bounties/f5fca549-0a4a-4f64-8ccf-d4e108856da4
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2025-05-27 02:50:01
  • Multiple Updates
2025-03-20 13:20:35
  • First insertion