CVE-2024-7456 – This SQL injection vulnerability in lunary-ai/l... (How to Fix)

Q: What is the severity of CVE-2024-7456?

CVE-2024-7456 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in lunary-ai/lunary v1.4.2 allows attackers to execute arbitrary SQL commands through the `/api/v1/external-users` endpoint. The vulnerability affects all systems running the vulnerable version, potentially leading to complete database compromise. Organizations using lunary-ai/lunary v1.4.2 or earlier are at risk.

📋 TL;DR

This SQL injection vulnerability in lunary-ai/lunary v1.4.2 allows attackers to execute arbitrary SQL commands through the `/api/v1/external-users` endpoint. The vulnerability affects all systems running the vulnerable version, potentially leading to complete database compromise. Organizations using lunary-ai/lunary v1.4.2 or earlier are at risk.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: v1.4.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable endpoint exposed are affected regardless of configuration.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, deletion, and potential remote code execution on the database server.

🟠

Likely Case

Data exfiltration, privilege escalation, and database corruption through SQL injection payloads.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via orderBy parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e

Restart Required: Yes

Instructions:

1. Update to latest lunary-ai/lunary version 2. Restart the application 3. Verify the fix by checking the commit hash includes 6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to restrict orderBy parameter to allowed values only

Implement input validation middleware before SQL query execution

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to detect and block SQL injection patterns in orderBy parameter

🧯 If You Can't Patch

Block external access to /api/v1/external-users endpoint using firewall rules
Implement rate limiting and input validation at the application layer

🔍 How to Verify

Check if Vulnerable:

Test the /api/v1/external-users endpoint with SQL injection payloads in the orderBy parameter

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the commit hash includes 6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database errors

Network Indicators:

SQL keywords in HTTP parameters
Unusual traffic patterns to /api/v1/external-users

SIEM Query:

source="web_logs" AND uri="/api/v1/external-users" AND (param="orderBy" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|create|alter)")

📊 Metadata

CVE ID: CVE-2024-7456

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 1, 2024

Last Updated: November 6, 2024

🔗 References

https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e Product
https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7456, you might also want to check these: