Lucene search

@huntr_aiCVE-2024-6086

HistoryJun 27, 2024 - 7:15 p.m.

CVE-2024-6086

2024-06-2719:15:19

CWE-284

@huntr_ai

web.nvd.nist.gov

lunary-ai/lunary

access control

organization name

authentication

improper access control

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.8%

JSON

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the ‘Prompt Editor’ role, to modify organization attributes without proper authorization.

Affected configurations

Nvd

Vulnrichment

Node

lunarylunaryMatch1.2.7

VendorProductVersionCPE
lunarylunary1.2.7cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lunary	lunary	1.2.7	cpe:2.3:a:lunary:lunary:1.2.7:::::::*

CNA Affected

[
  {
    "vendor": "lunary-ai",
    "product": "lunary-ai/lunary",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.8%

JSON

Related for CVE-2024-6086