Home > Vulnerability Database > CVE-2024-1599

Mend.io Vulnerability Database

CVE-2024-1599

Good to know:

Date: April 10, 2024

lunary-ai/lunary version 0.3.0 is vulnerable to unauthorized project creation due to insufficient server-side validation of user account types during project creation. In the free account tier, users are limited to creating only two projects. However, this restriction is enforced only in the web UI and not on the server side, allowing users to bypass the limitation and create an unlimited number of projects without upgrading their account or incurring additional charges. This vulnerability is due to the lack of checks in the project creation endpoint.

Language: TYPE_SCRIPT

Severity Score

5.3

Related Resources (4)

Url: https://github.com/lunary-ai/lunary/commit/48d66a3deef8788fda7621e88f0e3a8a4a1ddeb9

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1599

Url: https://huntr.com/bounties/f1f9e9d6-de5f-48c4-b4f4-fbd192370417

Url: https://www.mend.io/vulnerability-database/CVE-2024-1599

Severity Score

5.3

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version 48d66a3deef8788fda7621e88f0e3a8a4a1ddeb9

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1599

Good to know:

Date: April 10, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?