An Insecure Direct Object Reference (IDOR) vulnerability exists in the PATCH /v1/runs/:id/score endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runId_score in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users runId scores by specifying different id values. This issue was fixed in version 1.6.1.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves the use of several protection mechanisms such as:
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: