CVE-2024-1666— Unauthorized Radar Creation in lunary-ai/lunary

EPSS 0.09% · P25 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-1666

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Unauthorized Radar Creation in lunary-ai/lunary

Source: NVD (National Vulnerability Database)

Vulnerability Description

In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

不加限制或调节的资源分配

Source: NVD (National Vulnerability Database)

Vulnerability Title

Lunary 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Lunary是lunary开源的一个 LLM 的生产工具包。 Lunary 1.0.0 版本存在安全漏洞，该漏洞源于应用存在授权缺陷。攻击者利用该漏洞可以直接向服务器发送精心设计的请求来绕过预期的帐户升级要求。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
lunary-ai	lunary-ai/lunary	unspecified ~ 1.2.7	-

II. Public POCs for CVE-2024-1666

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-1666

请登录查看更多情报信息。

Same Patch Batch · lunary-ai · 2024-04-16 · 4 CVEs total

CVE-2024-1626		IDOR Vulnerability in lunary-ai/lunary
CVE-2024-1738		Incorrect Authorization in lunary-ai/lunary
CVE-2024-1739		Case Insensitive Email Address Validation Vulnerability in lunary-ai/lunary

IV. Related Vulnerabilities

Same product: lunary-ai/lunary

Same vendor: lunary-ai

Same weakness: CWE-770

V. Comments for CVE-2024-1666

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-1666— Unauthorized Radar Creation in lunary-ai/lunary

I. Basic Information for CVE-2024-1666

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-1666

III. Intelligence Information for CVE-2024-1666

Same Patch Batch · lunary-ai · 2024-04-16 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2024-1666

Leave a comment