CRITICAL🇵🇱 Wersja polska

CVE-2024-7456

CVSS 9.8v3.1pub. 2024-11-01upd. 2024-11-06

A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.

🤖 AI Analysis
How it works

The `ORDER BY` clause in the SQL query is constructed using `sql.unsafe` without prior validation or sanitization of input data on the server side. The `orderByClause` variable is constructed directly from user-supplied data, which allows SQL code injection. An attacker can manipulate the sorting parameter in an HTTP request to execute arbitrary database commands — without needing to have any account or permissions.

Impact

Successful exploitation of the vulnerability can lead to complete loss, modification, or corruption of data stored in the application database. An attacker can gain unauthorized access to sensitive information and permanently destroy or modify data resources.

Mitigation & patch

The application should be updated to a version containing the patch available in the project repository (commit 6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e). It is also recommended to implement validation and sanitization of all input data passed to SQL queries on the server side, particularly ORDER BY clause parameters.

Who is affected

Lunary (lunary-ai/lunary) in version v1.4.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lunary

    APP
    Lunary
    1.4.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-5352CRITICAL9.6PL ✓ten sam produkt

Stored XSS w Lunary — wstrzyknięcie skryptu przez zmienną środowiskową

CVE-2024-9095CRITICAL9.8PL ✓ten sam produkt

Brak kontroli dostępu w API BigQuery — eksport całej bazy danych w Lunary

CVE-2024-7475CRITICAL9.1PL ✓ten sam produkt

Lunary: brak kontroli dostępu do konfiguracji SAML (nieautoryzowana zmiana)

CVE-2024-4146CRITICAL9.8PL ✓ten sam produkt

Błąd autoryzacji w Lunary umożliwiający pełny dostęp do projektów

CVE-2024-5328CRITICAL9.3PL ✓ten sam produkt

SSRF w Lunary – nieautoryzowane żądania przez endpoint SAML IdP