CVE-2024-9096

In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60	Patch
https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.4.28:*:*:*:*:*:*:*

History

10 Apr 2025, 16:03

Type	Values Removed	Values Added
First Time		Lunary lunary Lunary
References	~~() https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60 -~~	() https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60 - Patch
References	~~() https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a -~~	() https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.6~~	v2 : unknown v3 : 7.1
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:lunary:lunary:1.4.28:::::::*
Summary		(es) En la versión 1.4.28 de lunary-ai/lunary, la ruta /checklists/:id permite a usuarios con pocos privilegios modificar listas de verificación mediante una solicitud PATCH. Esta ruta carece de un control de acceso adecuado, como middleware, que garantice que solo los usuarios autorizados (p. ej., propietarios o administradores de proyectos) puedan modificar los datos de las listas de verificación. Esta vulnerabilidad permite a cualquier usuario asociado al proyecto, independientemente de su rol, modificar las listas de verificación, incluyendo la modificación del slug o de los campos de datos, lo que puede provocar la manipulación de flujos de trabajo esenciales del proyecto, la alteración de la lógica de negocio y la introducción de errores que socavan la integridad.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-10 16:03

NVD link : CVE-2024-9096

Mitre link : CVE-2024-9096

CVE.ORG link : CVE-2024-9096

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-285

Improper Authorization

NVD-CWE-noinfo

7.1 /10