CVE-2024-7474 – This IDOR vulnerability in lunary-ai/lunary ver... (How to Fix)

Q: What is the severity of CVE-2024-7474?

CVE-2024-7474 has a CVSS score of 8.1 (HIGH). This IDOR vulnerability in lunary-ai/lunary version 1.3.2 allows authenticated users to view or delete external user accounts by manipulating the 'id' parameter in API requests. The application fails to verify user authorization before processing these requests, potentially exposing sensitive user data. All deployments running the vulnerable version are affected.

📋 TL;DR

This IDOR vulnerability in lunary-ai/lunary version 1.3.2 allows authenticated users to view or delete external user accounts by manipulating the 'id' parameter in API requests. The application fails to verify user authorization before processing these requests, potentially exposing sensitive user data. All deployments running the vulnerable version are affected.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: 1.3.2

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with external user functionality enabled.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration or deletion of all external user data, leading to complete data loss and privacy violations.

🟠

Likely Case

Unauthorized access to sensitive user information and potential account deletion for targeted users.

🟢

If Mitigated

Limited impact with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial via parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 8f563c77d8614a72980113f530c7a9ec15a5f8d5

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5

Restart Required: Yes

Instructions:

1. Update to latest lunary-ai/lunary version. 2. Apply commit 8f563c77d8614a72980113f530c7a9ec15a5f8d5. 3. Restart the application.

🔧 Temporary Workarounds

Implement API Authorization Middleware

all

Add server-side authorization checks for all user-related endpoints

Rate Limit User ID Endpoints

all

Implement rate limiting on vulnerable endpoints to detect brute force attempts

🧯 If You Can't Patch

Implement WAF rules to block suspicious ID parameter patterns
Enable detailed logging for all user data access attempts

🔍 How to Verify

Check if Vulnerable:

Test if authenticated user can access external user data by modifying 'id' parameter in API requests

Check Version:

Check package.json or application version endpoint

Verify Fix Applied:

Verify that authorization checks are properly implemented and prevent unauthorized access

📡 Detection & Monitoring

Log Indicators:

Unusual pattern of user ID access attempts
Failed authorization checks for user endpoints

Network Indicators:

Multiple sequential requests to user endpoints with varying ID parameters

SIEM Query:

source="application_logs" AND (message="*user*id*" OR message="*authorization*failed*")

📊 Metadata

CVE ID: CVE-2024-7474

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-639

Published: October 29, 2024

Last Updated: January 9, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 Patch
https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7474, you might also want to check these: