Skip to content

Commit

Permalink
1 changes (1 new | 0 updated):
Browse files Browse the repository at this point in the history 
      - 1 new CVEs:  CVE-2024-7456
      - 0 updated CVEs:
  • Loading branch information
cvelistV5 Github Action committed Nov 1, 2024
1 parent 1071aa9 commit 30ea817
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 5 deletions.
85 changes: 85 additions & 0 deletions cves/2024/7xxx/CVE-2024-7456.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-7456",
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"state": "PUBLISHED",
"assignerShortName": "@huntr_ai",
"dateReserved": "2024-08-03T21:42:38.864Z",
"datePublished": "2024-11-01T12:05:12.189Z",
"dateUpdated": "2024-11-01T12:05:12.189Z"
},
"containers": {
"cna": {
"title": "SQL Injection in lunary-ai/lunary",
"providerMetadata": {
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai",
"dateUpdated": "2024-11-01T12:05:12.189Z"
},
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption."
}
],
"affected": [
{
"vendor": "lunary-ai",
"product": "lunary-ai/lunary",
"versions": [
{
"version": "unspecified",
"lessThan": "1.4.3",
"status": "affected",
"versionType": "custom"
}
]
}
],
"references": [
{
"url": "https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4"
},
{
"url": "https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8e"
}
],
"metrics": [
{
"cvssV3_0": {
"version": "3.0",
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"type": "CWE",
"lang": "en",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"cweId": "CWE-89"
}
]
}
],
"source": {
"advisory": "bfb3015e-5642-4d94-ab49-e8b49c4e07e4",
"discovery": "EXTERNAL"
}
}
}
}
10 changes: 5 additions & 5 deletions cves/delta.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{
"fetchTime": "2024-11-01T11:38:34.318Z",
"fetchTime": "2024-11-01T12:13:32.534Z",
"numberOfChanges": 1,
"new": [
{
"cveId": "CVE-2024-10654",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10654",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10654.json",
"dateUpdated": "2024-11-01T11:31:05.723Z"
"cveId": "CVE-2024-7456",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-7456",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/7xxx/CVE-2024-7456.json",
"dateUpdated": "2024-11-01T12:05:12.189Z"
}
],
"updated": [],
Expand Down
14 changes: 14 additions & 0 deletions cves/deltaLog.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
[
{
"fetchTime": "2024-11-01T12:13:32.534Z",
"numberOfChanges": 1,
"new": [
{
"cveId": "CVE-2024-7456",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-7456",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/7xxx/CVE-2024-7456.json",
"dateUpdated": "2024-11-01T12:05:12.189Z"
}
],
"updated": [],
"error": []
},
{
"fetchTime": "2024-11-01T11:38:34.318Z",
"numberOfChanges": 1,
Expand Down

0 comments on commit 30ea817

Please sign in to comment.