Description

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.

INFO

Published Date :

2024-06-06T18:49:25.715Z

Last Modified :

2024-11-03T18:27:24.948Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5248 vulnerability.

Vendors Products
Lunary
  • Lunary
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5248.

URL Resource
https://github.com/lunary-ai/lunary/commit/7f24ec1c3588992a07fd70573c43a0897eb523a2 cve-icon cve-icon
https://huntr.com/bounties/4ec75087-5630-4813-952b-88ccabe6d117 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact