CVE-2024-10274

An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This vulnerability can lead to the disclosure of sensitive information such as names, roles, or emails to users without sufficient privileges, resulting in privacy violations and potential reconnaissance for targeted attacks.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc	Patch
https://huntr.com/bounties/506459c1-da60-45c5-a10d-8bd540a4b4c1	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

02 Jul 2025, 19:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:lunary:lunary::::::::
First Time		Lunary Lunary lunary
Summary		(es) Existe una vulnerabilidad de autorización indebida en la versión 1.5.5 de lunary-ai/lunary. El endpoint /users/me/org carece de mecanismos de control de acceso adecuados, lo que permite que usuarios no autorizados accedan a información confidencial sobre todos los miembros del equipo de la organización actual. Esta vulnerabilidad puede provocar la divulgación de información confidencial, como nombres, roles o correos electrónicos, a usuarios sin los privilegios necesarios, lo que resulta en violaciones de la privacidad y un posible reconocimiento para ataques dirigidos.
References	~~() https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc -~~	() https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc - Patch
References	~~() https://huntr.com/bounties/506459c1-da60-45c5-a10d-8bd540a4b4c1 -~~	() https://huntr.com/bounties/506459c1-da60-45c5-a10d-8bd540a4b4c1 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-02 19:36

NVD link : CVE-2024-10274

Mitre link : CVE-2024-10274

CVE.ORG link : CVE-2024-10274

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-285

Improper Authorization

6.5 /10