CVE-2024-7456

1 Nov 2024

Jose Alexis Correa Valencia
0 Comentarios

Título es

CVE-2024-7456

Vie, 01/11/2024 – 12:15

Tipo

CWE-89

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-7456

Descripción en

A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.

01/11/2024

Vector CVSS:3.1

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e

https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4

Enviar en el boletín

Off

CVE-2024-7456

CVE-2024-7456

Jose Alexis Correa Valencia