Cyber Resilience

CVE-2024-7473

MediumPublic PoC

Published: 29 October 2024

Published
29 October 2024
Modified
03 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0015 35.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7473 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lunary Lunary. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: Hardware (AML.T0010.000), Direct (AML.T0051.000), Financial Harm (AML.T0048.000).

EU & UK References

Vulnerability details

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed…

more

in version 1.4.3.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai is an open-source LLM observability platform for evaluations, datasets, and prompts in AI/ML applications, fitting as an 'Other Platforms' category for AI infrastructure tools.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

IDOR vulnerability enables authenticated users to unauthorizedly update other users' stored prompts/datasets, facilitating stored data manipulation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010.000: HardwareAML.T0051.000: DirectAML.T0048.000: Financial Harm

Affected Assets

lunary
lunary
1.3.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References