CVE-2024-4146

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7	Exploit Issue Tracking
https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.2.13:*:*:*:*:*:*:*

History

30 Aug 2024, 16:15

Type	Values Removed	Values Added
Summary	In lunary-ai/lunary version v1.2.13, an improper authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.	In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

19 Jul 2024, 19:03

Type	Values Removed	Values Added
First Time		Lunary lunary Lunary
CWE	~~CWE-285~~	CWE-863
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7 -~~	() https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7 - Patch
References	~~() https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7 -~~	() https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7 - Exploit, Issue Tracking
CPE		cpe:2.3:a:lunary:lunary:1.2.13:::::::*

08 Jun 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-08 20:15

Updated : 2024-08-30 16:15

NVD link : CVE-2024-4146

Mitre link : CVE-2024-4146

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-863

Incorrect Authorization

9.8 /10