Refine your search
2 vulnerabilities found for by lunary-ai
CVE-2025-9803 (GCVE-0-2025-9803)
Vulnerability from cvelistv5
Published
2025-11-25 00:00
Modified
2025-11-25 18:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lunary-ai | lunary-ai/lunary |
Version: unspecified < 1.9.35 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9803",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T18:35:13.605035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T18:35:17.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lunary-ai/lunary",
"vendor": "lunary-ai",
"versions": [
{
"lessThan": "1.9.35",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the \u0027aud\u0027 (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T00:00:35.380Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6"
},
{
"url": "https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91"
}
],
"source": {
"advisory": "4734f35f-514c-4d10-98fa-3a54514f6af6",
"discovery": "EXTERNAL"
},
"title": "Improper Authentication in lunary-ai/lunary"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-9803",
"datePublished": "2025-11-25T00:00:35.380Z",
"dateReserved": "2025-09-01T13:06:49.733Z",
"dateUpdated": "2025-11-25T18:35:17.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7475 (GCVE-0-2024-7475)
Vulnerability from cvelistv5
Published
2024-10-29 12:45
Modified
2025-10-21 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lunary-ai | lunary-ai/lunary |
Version: unspecified < 1.3.4 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lunary-ai:lunary-ai\\/lunary:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lunary-ai\\/lunary",
"vendor": "lunary-ai",
"versions": [
{
"lessThan": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-7475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T13:48:21.210670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T14:10:24.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lunary-ai/lunary",
"vendor": "lunary-ai",
"versions": [
{
"lessThan": "1.3.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T12:49:50.669Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/78c824f7-3b6d-443d-bb76-0f8031c6c126"
},
{
"url": "https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5"
}
],
"source": {
"advisory": "78c824f7-3b6d-443d-bb76-0f8031c6c126",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in lunary-ai/lunary"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-7475",
"datePublished": "2024-10-29T12:45:53.136Z",
"dateReserved": "2024-08-04T14:06:01.221Z",
"dateUpdated": "2025-10-21T14:10:24.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}