← Zuruck zu CVEs
CVE-2024-7456
CRITICAL9.8
Beschreibung
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht11/1/2024
Zuletzt geandert11/6/2024
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
lunary:lunary
Schwachen (CWE)
CWE-89CWE-89
Referenzen
https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e(security@huntr.dev)
https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4(security@huntr.dev)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.