Cyber Resilience

CVE-2024-6867

MediumPublic PoC

Published: 13 September 2024

Published
13 September 2024
Modified
19 September 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0018 40.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6867 is a medium-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Lunary Lunary. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Adversarial AI Attack Implementations (AML.T0016.000), AML.T0012.000, AML.T0020.000.

EU & UK References

Vulnerability details

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…

more

specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai/lunary is an open-source observability and management platform for AI/LLM applications, tracking runs and related metrics, which fits 'Other Platforms' as it is neither a framework, library, nor specific to NLP/CV/etc., but a broader AI platform.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The vulnerability is an information disclosure via broken access control in an API endpoint, enabling unauthorized access to non-public run data likely stored in a backend database.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016.000: Adversarial AI Attack ImplementationsAML.T0012.000AML.T0020.000

Affected Assets

lunary
lunary
1.4.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1220

Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

addresses: CWE-1220

Documenting interface characteristics enables more granular control over internal access.

addresses: CWE-1220

Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.

addresses: CWE-1220

Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.

addresses: CWE-1220

Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.

References