CVE-2024-10330
📋 TL;DR
In lunary-ai/lunary version 1.5.6, the /v1/evaluators/ endpoint lacks proper access control, allowing any authenticated user associated with a project to retrieve all evaluator data regardless of their role. This vulnerability enables low-privilege users to access potentially sensitive evaluation data that should be restricted to higher-privileged roles. Organizations using the affected version of lunary with multiple user roles are impacted.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Low-privilege users could access sensitive evaluation data, intellectual property, or proprietary information that should be restricted to administrators or specific roles, potentially leading to data leakage, competitive disadvantage, or regulatory compliance violations.
Likely Case
Unauthorized users within an organization gain access to evaluation data they shouldn't see, potentially exposing internal metrics, testing results, or proprietary evaluation criteria.
If Mitigated
Proper role-based access control prevents unauthorized access, limiting evaluator data visibility to only authorized users based on their assigned roles and permissions.
🎯 Exploit Status
Exploitation requires authenticated access to a project, but any authenticated user can exploit this vulnerability regardless of their assigned role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc
Restart Required: Yes
Instructions:
1. Update lunary to a version containing commit 8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc
2. Restart the lunary service
3. Verify that role-based access control is properly enforced on the /v1/evaluators/ endpoint
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the lunary instance to only trusted users or implement additional authentication layers
Endpoint Monitoring
allImplement monitoring and alerting for unauthorized access attempts to the /v1/evaluators/ endpoint
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the lunary instance
- Add an additional authentication/authorization layer (like a reverse proxy with additional auth) in front of the lunary application
🔍 How to Verify
Check if Vulnerable:
Test if low-privilege users can access the /v1/evaluators/ endpoint and retrieve data that should be restricted to higher-privileged roles.Check Version:
Check the lunary version in your deployment configuration or via the application interfaceVerify Fix Applied:
Verify that low-privilege users receive appropriate access denied responses when attempting to access the /v1/evaluators/ endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /v1/evaluators/ endpoint
- Low-privilege user accounts accessing evaluator data
Network Indicators:
- HTTP GET requests to /v1/evaluators/ from unauthorized user accounts
SIEM Query:
source="lunary" AND (uri_path="/v1/evaluators/" OR endpoint="/v1/evaluators/") AND user_role!="admin" AND response_code=200