CVE-2024-6582

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-287

19 Sep 2024, 19:45

Type Values Removed Values Added
References () https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433 - () https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433 - Patch
References () https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59 - () https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59 - Exploit, Third Party Advisory
CPE cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
First Time Lunary
Lunary lunary
Summary
  • (es) Existe una vulnerabilidad de control de acceso en la última versión de lunary-ai/lunary. El archivo `saml.ts` permite que un usuario de una organización actualice la configuración del proveedor de identidad (IDP) y vea los metadatos de SSO de otra organización. Esta vulnerabilidad puede provocar acceso no autorizado y una posible apropiación de cuentas si se conoce el correo electrónico de un usuario de la organización de destino.
CWE CWE-306
CVSS v2 : unknown
v3 : 6.5
v2 : unknown
v3 : 4.3

13 Sep 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-13 17:15

Updated : 2024-11-03 17:15


NVD link : CVE-2024-6582

Mitre link : CVE-2024-6582

CVE.ORG link : CVE-2024-6582


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-306

Missing Authentication for Critical Function