A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
The `ORDER BY` clause in the SQL query is constructed using `sql.unsafe` without prior validation or sanitization of input data on the server side. The `orderByClause` variable is constructed directly from user-supplied data, which allows SQL code injection. An attacker can manipulate the sorting parameter in an HTTP request to execute arbitrary database commands — without needing to have any account or permissions.
Successful exploitation of the vulnerability can lead to complete loss, modification, or corruption of data stored in the application database. An attacker can gain unauthorized access to sensitive information and permanently destroy or modify data resources.
The application should be updated to a version containing the patch available in the project repository (commit 6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e). It is also recommended to implement validation and sanitization of all input data passed to SQL queries on the server side, particularly ORDER BY clause parameters.
Lunary (lunary-ai/lunary) in version v1.4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLunary
APPLunary1.4.2
Related vulnerabilities
Stored XSS w Lunary — wstrzyknięcie skryptu przez zmienną środowiskową
Brak kontroli dostępu w API BigQuery — eksport całej bazy danych w Lunary
Lunary: brak kontroli dostępu do konfiguracji SAML (nieautoryzowana zmiana)
Błąd autoryzacji w Lunary umożliwiający pełny dostęp do projektów
SSRF w Lunary – nieautoryzowane żądania przez endpoint SAML IdP