Description

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

INFO

Published Date :

2024-06-08T19:41:25.437Z

Last Modified :

2024-08-30T15:28:58.378Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4146 vulnerability.

Vendors Products
Lunary
  • Lunary
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4146.

URL Resource
https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7 cve-icon cve-icon cve-icon
https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact