CVE-2024-4154

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f	Exploit Issue Tracking Patch Third Party Advisory
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

31 Jan 2025, 11:15

Type	Values Removed	Values Added
References		() https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7 -
CWE	~~CWE-821~~

10 Jan 2025, 14:40

Type	Values Removed	Values Added
CWE		CWE-639
CVSS	v2 : ~~unknown~~ v3 : ~~7.1~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:lunary:lunary::::::::
First Time		Lunary lunary Lunary
References	~~() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f -~~	() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f - Exploit, Issue Tracking, Patch, Third Party Advisory

21 Nov 2024, 09:42

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f -~~	() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f -
Summary		(es) En lunary-ai/lunary versión 1.2.2, una vulnerabilidad de sincronización incorrecta permite a usuarios sin privilegios cambiar el nombre de proyectos a los que no tienen acceso. Específicamente, un usuario sin privilegios puede enviar una solicitud PATCH al endpoint del proyecto con un nuevo nombre para un proyecto, a pesar de no tener los permisos necesarios o no estar asignado al proyecto. Este problema permite la modificación no autorizada de los nombres de los proyectos, lo que podría generar confusión o acceso no autorizado a los recursos del proyecto.

21 May 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-21 18:15

Updated : 2025-01-31 11:15

NVD link : CVE-2024-4154

Mitre link : CVE-2024-4154

CVE.ORG link : CVE-2024-4154

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

6.5 /10