CVE-2024-6086

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*

History

19 Sep 2024, 15:57

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 4.3
Summary		(es) En la versión 1.2.7 de lunary-ai/lunary, cualquier usuario autenticado, independientemente de su rol, puede cambiar el nombre de una organización debido a un control de acceso inadecuado. La función checkAccess() no está implementada, lo que permite a los usuarios con los privilegios más bajos, como la función 'Editor de mensajes', modificar los atributos de la organización sin la autorización adecuada.
References	~~() https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 -~~	() https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 - Exploit, Third Party Advisory
CPE		cpe:2.3:a:lunary:lunary:1.2.7:::::::*
First Time		Lunary Lunary lunary

27 Jun 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-27 19:15

Updated : 2024-09-19 15:57

NVD link : CVE-2024-6086

Mitre link : CVE-2024-6086

CVE.ORG link : CVE-2024-6086

JSON object : View

Products Affected

lunary

lunary

CWE

NVD-CWE-noinfo CWE-284

Improper Access Control

{"id": "CVE-2024-6086", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-06-27T19:15:19.533", "references": [{"url": "https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization."}, {"lang": "es", "value": "En la versi\u00f3n 1.2.7 de lunary-ai/lunary, cualquier usuario autenticado, independientemente de su rol, puede cambiar el nombre de una organizaci\u00f3n debido a un control de acceso inadecuado. La funci\u00f3n checkAccess() no est\u00e1 implementada, lo que permite a los usuarios con los privilegios m\u00e1s bajos, como la funci\u00f3n 'Editor de mensajes', modificar los atributos de la organizaci\u00f3n sin la autorizaci\u00f3n adecuada."}], "lastModified": "2024-09-19T15:57:50.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C7BA1F3-A202-4EB0-A119-9DD2B776A50F"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}