Lucene search

@huntr_aiCVELIST:CVE-2024-6086

HistoryJun 27, 2024 - 6:46 p.m.

CVE-2024-6086 Improper Access Control in lunary-ai/lunary

2024-06-2718:46:15

CWE-284

@huntr_ai

www.cve.org

cve-2024-6086

improper access control

lunary-ai/lunary

authenticated user

organization attributes

checkaccess() not implemented

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.8%

JSON

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the ‘Prompt Editor’ role, to modify organization attributes without proper authorization.

CNA Affected

[
  {
    "vendor": "lunary-ai",
    "product": "lunary-ai/lunary",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.8%

JSON

Related for CVELIST:CVE-2024-6086