CVE-2024-6867
Published: 13 September 2024
Summary
CVE-2024-6867 is a medium-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Lunary Lunary. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Adversarial AI Attack Implementations (AML.T0016.000), AML.T0012.000, AML.T0020.000.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2763
Vulnerability details
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…
more
specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary.ai/lunary is an open-source observability and management platform for AI/LLM applications, tracking runs and related metrics, which fits 'Other Platforms' as it is neither a framework, library, nor specific to NLP/CV/etc., but a broader AI platform.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an information disclosure via broken access control in an API endpoint, enabling unauthorized access to non-public run data likely stored in a backend database.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use of granular security and privacy attributes enables finer access control than coarse permission models alone.
Documenting interface characteristics enables more granular control over internal access.
Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.
Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.
Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.