CVE-2024-11301 · CVEKit

cve.orgen

554 chars

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

NVDen

554 chars

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. The lack of database constraints or application-layer validation to prevent duplicates exposes the application to data integrity issues. This vulnerability can result in corrupted data and potentially malicious actions, impairing the system's functionality.

NVDes

605 chars

En lunary-ai/lunary, versiones anteriores a la 1.6.3, la aplicación permite la creación de evaluadores sin imponer una restricción única en la combinación de projectId y slug. Esto permite a un atacante sobrescribir datos existentes al enviar una solicitud POST con el mismo slug que un evaluador existente. La falta de restricciones en la base de datos o validación en la capa de aplicación para evitar duplicados expone la aplicación a problemas de integridad de datos. Esta vulnerabilidad puede provocar la corrupción de datos y posibles acciones maliciosas, lo que afecta la funcionalidad del sistema.

CVSS metrics across sources

3

Version	Type	Source	Base	Exp	Impact	Vector
3.0	Primary	cve.org	6.5	—	—	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
3.0	Primary	cve.org	6.5	—	—	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N