CVE-2024-3379

In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

18 Nov 2024, 21:30

Type Values Removed Values Added
CPE cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
References () https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 - () https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 - Patch
References () https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92 - () https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92 - Exploit, Issue Tracking, Patch, Third Party Advisory
First Time Lunary
Lunary lunary
CVSS v2 : unknown
v3 : 9.6
v2 : unknown
v3 : 8.1

15 Nov 2024, 13:58

Type Values Removed Values Added
Summary
  • (es) En las versiones 1.2.2 a 1.2.6 de lunary-ai/lunary, una vulnerabilidad de autorización incorrecta permite a los usuarios sin privilegios volver a generar la clave privada para proyectos a los que no tienen acceso. En concreto, un usuario con un rol de "Miembro" puede emitir una solicitud para regenerar la clave privada de un proyecto sin tener los permisos necesarios o estar asignado a ese proyecto. Este problema se solucionó en la versión 1.2.7.

14 Nov 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-14 18:15

Updated : 2024-11-18 21:30


NVD link : CVE-2024-3379

Mitre link : CVE-2024-3379

CVE.ORG link : CVE-2024-3379


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-863

Incorrect Authorization