PT-2024-29440 · Lunary Ai · Lunary

Published

2024-05-21

Updated

2025-01-31

CVE-2024-4154

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.2

Description The issue allows unprivileged users to rename projects they do not have access to by sending a PATCH request to the project's endpoint with a new name, despite lacking necessary permissions or assignment to the project. This can lead to unauthorized modification of project names, potentially causing confusion or unauthorized access to project resources.

Recommendations For lunary-ai/lunary version 1.2.2, consider restricting access to the project's endpoint to prevent unauthorized renaming of projects until a patch is available. As a temporary workaround, limit the ability of unprivileged users to send PATCH requests to project endpoints.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-821CWE-639

Related Identifiers

CVE-2024-4154

Affected Products

Lunary

PT-2024-29440 · Lunary Ai · Lunary

CVE-2024-4154

Weakness Enumeration

Related Identifiers

Affected Products

References · 8