← Volver a CVEs
CVE-2024-7456
CRITICAL9.8
Descripcion
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado11/1/2024
Ultima modificacion11/6/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
lunary:lunary
Debilidades (CWE)
CWE-89CWE-89
Referencias
https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e(security@huntr.dev)
https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4(security@huntr.dev)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.