漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Exposure of Private API Keys in lunary-ai/lunary
Vulnerability Description
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.
CVSS Information
N/A
Vulnerability Type
CWE-1230
Vulnerability Title
Lunary 安全漏洞
Vulnerability Description
Lunary是Lunary开源的一个 LLM 的生产工具包。 Lunary v1.4.29版本存在安全漏洞,该漏洞源于GET /projects API端点向具有最低权限的用户暴露了所有项目的公共和私有API密钥,可能导致敏感凭据泄露。
CVSS Information
N/A
Vulnerability Type
N/A