CVE-2024-4154

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f	Exploit Issue Tracking Patch Third Party Advisory
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

31 Jan 2025, 11:15

Type	Values Removed	Values Added
References		() https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7 -
CWE	~~CWE-821~~

10 Jan 2025, 14:40

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f -~~	() https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f - Exploit, Issue Tracking, Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.1~~	v2 : unknown v3 : 6.5
First Time		Lunary lunary Lunary
CWE		CWE-639
CPE		cpe:2.3:a:lunary:lunary::::::::

Information

Published : 2024-05-21 18:15

Updated : 2025-01-31 11:15

NVD link : CVE-2024-4154

Mitre link : CVE-2024-4154

CVE.ORG link : CVE-2024-4154

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-4154", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-05-21T18:15:09.987", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources."}, {"lang": "es", "value": "En lunary-ai/lunary versi\u00f3n 1.2.2, una vulnerabilidad de sincronizaci\u00f3n incorrecta permite a usuarios sin privilegios cambiar el nombre de proyectos a los que no tienen acceso. Espec\u00edficamente, un usuario sin privilegios puede enviar una solicitud PATCH al endpoint del proyecto con un nuevo nombre para un proyecto, a pesar de no tener los permisos necesarios o no estar asignado al proyecto. Este problema permite la modificaci\u00f3n no autorizada de los nombres de los proyectos, lo que podr\u00eda generar confusi\u00f3n o acceso no autorizado a los recursos del proyecto."}], "lastModified": "2025-01-31T11:15:10.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B6E136A-BD63-4012-9F3F-A388E67219EA", "versionEndExcluding": "1.2.26"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}