In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
References
Link | Resource |
---|---|
https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 | Patch |
https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92 | Exploit Issue Tracking Patch Third Party Advisory |
Configurations
History
18 Nov 2024, 21:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
References | () https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 - Patch | |
References | () https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92 - Exploit, Issue Tracking, Patch, Third Party Advisory | |
First Time |
Lunary
Lunary lunary |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
15 Nov 2024, 13:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
14 Nov 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-14 18:15
Updated : 2024-11-18 21:30
NVD link : CVE-2024-3379
Mitre link : CVE-2024-3379
CVE.ORG link : CVE-2024-3379
JSON object : View
Products Affected
lunary
- lunary
CWE
CWE-863
Incorrect Authorization