Vulnerability-Lookup

CVE-2024-1665 (GCVE-0-2024-1665)

Vulnerability from cvelistv5 – Published: 2024-04-16 00:00 – Updated: 2024-06-07 16:55

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2024-06-07T16:55:45.980Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-1665",
    "datePublished": "2024-04-16T00:00:14.606Z",
    "dateRejected": "2024-06-07T16:55:45.980Z",
    "dateReserved": "2024-02-20T14:28:29.542Z",
    "dateUpdated": "2024-06-07T16:55:45.980Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-1665\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-04-16T00:15:10.150\",\"lastModified\":\"2024-06-07T17:15:49.850\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}],\"metrics\":{},\"references\":[]}}"
  }
}

GHSA-XH3C-49Q5-VP78

Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-04-16 00:30

Details

lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint '/v1/evaluations' does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-1665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-16T00:15:10Z",
    "severity": "MODERATE"
  },
  "details": "lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint \u0027/v1/evaluations\u0027 does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.",
  "id": "GHSA-xh3c-49q5-vp78",
  "modified": "2024-04-16T00:30:33Z",
  "published": "2024-04-16T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-1665

Vulnerability from fkie_nvd - Published: 2024-04-16 00:15 - Updated: 2024-06-07 17:15

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
    }
  ],
  "id": "CVE-2024-1665",
  "lastModified": "2024-06-07T17:15:49.850",
  "metrics": {},
  "published": "2024-04-16T00:15:10.150",
  "references": [],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Rejected"
}

GSD-2024-1665

Vulnerability from gsd - Updated: 2024-02-21 06:02

Details

Aliases

CVE-2024-1665

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-1665"
      ],
      "details": "lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint \u0027/v1/evaluations\u0027 does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.",
      "id": "GSD-2024-1665",
      "modified": "2024-02-21T06:02:36.938183Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.com",
        "ID": "CVE-2024-1665",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "lunary-ai/lunary",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "unspecified",
                          "version_value": "1.2.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "lunary-ai"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint \u0027/v1/evaluations\u0027 does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770 Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83",
            "refsource": "MISC",
            "url": "https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83"
          },
          {
            "name": "https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54",
            "refsource": "MISC",
            "url": "https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54"
          }
        ]
      },
      "source": {
        "advisory": "c0e6299e-ea45-435c-b849-53d50ffc0e83",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint \u0027/v1/evaluations\u0027 does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process."
          },
          {
            "lang": "es",
            "value": "lunary-ai/lunary versi\u00f3n 1.0.0 es vulnerable a la creaci\u00f3n de evaluaciones no autorizadas debido a que faltan verificaciones del lado del servidor para el estado de la cuenta de usuario durante la creaci\u00f3n de la evaluaci\u00f3n. Si bien la interfaz de usuario web restringe la creaci\u00f3n de evaluaciones a cuentas pagas, el endpoint API del lado del servidor \u0027/v1/evaluations\u0027 no verifica si el usuario tiene una cuenta paga, lo que permite a los usuarios con cuentas gratuitas o autohospedadas crear evaluaciones ilimitadas sin actualizar su cuenta. Esta vulnerabilidad se debe a la falta de validaci\u00f3n del estado de la cuenta en el proceso de creaci\u00f3n de la evaluaci\u00f3n."
          }
        ],
        "id": "CVE-2024-1665",
        "lastModified": "2024-04-16T13:24:07.103",
        "metrics": {
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "security@huntr.dev",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-16T00:15:10.150",
        "references": [
          {
            "source": "security@huntr.dev",
            "url": "https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54"
          },
          {
            "source": "security@huntr.dev",
            "url": "https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83"
          }
        ],
        "sourceIdentifier": "security@huntr.dev",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-770"
              }
            ],
            "source": "security@huntr.dev",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-1665 (GCVE-0-2024-1665)

GHSA-XH3C-49Q5-VP78

FKIE_CVE-2024-1665

GSD-2024-1665

Tags

Sightings

Nomenclature