CVE-2024-10330 identifies a missing authorization vulnerability (CWE-862) in the lunary-ai/lunary software, specifically version 1.5.6. The vulnerability resides in the /v1/evaluators/ REST API endpoint, which fails to enforce proper access control checks. As a result, any user associated with a project can retrieve all evaluator data, regardless of their assigned role or privilege level. This means that low-privilege users can access potentially sensitive evaluation data that should be restricted to higher privilege roles. The vulnerability is remotely exploitable over the network without requiring user interaction, making it easier for an attacker with minimal privileges to leverage. The CVSS v3.0 score of 6.5 reflects a medium severity, primarily due to the high confidentiality impact but no impact on integrity or availability. The flaw does not require elevated privileges beyond project association, and no patches or known exploits are currently documented. This vulnerability highlights a common security oversight in API design where authorization checks are either missing or insufficient, allowing unauthorized data disclosure. Organizations using lunary-ai/lunary should audit their API endpoints for proper role-based access control and apply fixes or compensating controls to prevent unauthorized data access.

For European organizations, the primary impact of CVE-2024-10330 is the unauthorized disclosure of sensitive evaluator data, which could include proprietary AI model evaluations, performance metrics, or other confidential project information. This breach of confidentiality could lead to competitive disadvantage, intellectual property theft, or regulatory non-compliance, especially under GDPR which mandates strict data protection measures. Although the vulnerability does not affect data integrity or system availability, the exposure of sensitive data can damage trust and reputation. Organizations in sectors such as AI research, software development, and data analytics that rely on lunary-ai/lunary are particularly at risk. The ease of exploitation without user interaction and low privilege requirements increase the likelihood of insider threats or lateral movement by attackers who have gained minimal access. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks. European entities must consider the sensitivity of the exposed data and the regulatory implications of unauthorized access when assessing the impact.

To mitigate CVE-2024-10330, organizations should first verify the version of lunary-ai/lunary in use and upgrade to a patched version once available. In the absence of an official patch, implement strict role-based access control (RBAC) on the /v1/evaluators/ endpoint to ensure only authorized roles can access evaluator data. This can be achieved by modifying API gateway policies or backend authorization logic to enforce least privilege principles. Additionally, conduct a thorough audit of all API endpoints to identify and remediate similar missing authorization issues. Enable detailed logging and monitoring of API access to detect anomalous requests or unauthorized data retrieval attempts. Employ network segmentation to limit access to the lunary-ai/lunary service to trusted users and systems. Educate developers and security teams on secure API design practices, emphasizing the importance of authorization checks. Finally, review and update internal security policies to include regular security assessments of third-party tools and dependencies.