CVE-2024-1738
📋 TL;DR
This vulnerability allows unauthorized users to access any organization's evaluation results by simply knowing the evaluation ID, due to missing project ID verification in the SQL query. It affects all users of the lunary-ai/lunary repository who haven't applied the security patch. Attackers can retrieve potentially sensitive data from evaluation results.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all evaluation data across all organizations, including potentially sensitive AI model performance data, proprietary test results, and confidential business metrics.
Likely Case
Unauthorized access to specific evaluation results containing sensitive model performance data, potentially revealing proprietary AI training information or business intelligence.
If Mitigated
No data exposure with proper authorization checks in place; only authenticated users with appropriate project permissions can access evaluation results.
🎯 Exploit Status
Exploitation requires only knowledge of evaluation IDs, which could be guessed or discovered through other means. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit a4e61122e61dc31460cfbe54d15fae389cc440ce
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce
Restart Required: Yes
Instructions:
1. Pull latest code from lunary-ai/lunary repository. 2. Apply commit a4e61122e61dc31460cfbe54d15fae389cc440ce. 3. Restart the lunary service. 4. Verify the fix by testing evaluation access controls.
🔧 Temporary Workarounds
Disable evaluations API endpoint
allTemporarily disable the vulnerable evaluations.get route until patch can be applied
# Modify API routing to disable /evaluations endpoint
# Implementation depends on your specific deployment
Implement API gateway authorization
allAdd additional authorization layer at API gateway level
# Configure API gateway to require authentication for /evaluations/* endpoints
# Add project ID validation at gateway level
🧯 If You Can't Patch
- Implement network-level access controls to restrict API endpoint access to authorized users only
- Add application-level authorization middleware that validates project membership before processing evaluation requests
🔍 How to Verify
Check if Vulnerable:
Test if you can access evaluation results using only an evaluation ID without proper project authorization. Attempt to retrieve evaluation data from another organization's project.Check Version:
git log --oneline | grep a4e61122e61dc31460cfbe54d15fae389cc440ceVerify Fix Applied:
After patching, verify that evaluation requests now require proper project authorization and fail when attempting to access evaluations from unauthorized projects.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /evaluations endpoint
- Evaluation retrieval requests without corresponding project authorization logs
- Multiple failed authorization attempts followed by successful evaluation access
Network Indicators:
- HTTP GET requests to /evaluations/{id} without proper authentication headers
- Unusual patterns of evaluation ID requests from single IP addresses
SIEM Query:
source="application_logs" AND (uri_path="/evaluations/*" AND NOT (user_project_match="true"))