Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Exposure of Private API Keys in lunary-ai/lunary
Vulnerability Description
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.
CVSS Information
N/A
Vulnerability Type
CWE-1230
Vulnerability Title
Lunary 安全漏洞
Vulnerability Description
Lunary是Lunary开源的一个 LLM 的生产工具包。 Lunary v1.4.29版本存在安全漏洞,该漏洞源于GET /projects API端点向具有最低权限的用户暴露了所有项目的公共和私有API密钥,可能导致敏感凭据泄露。
CVSS Information
N/A
Vulnerability Type
N/A