CVE-2024-5248

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.5

Description An improper access control issue exists due to a missing permission check in the "GET /v1/users/me/org" endpoint. The platform's role definitions restrict the Prompt Editor role to prompt management and project viewing/listing capabilities, excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the Prompt Editor role to access the full list of users in the organization. This issue allows unauthorized access to sensitive user information, violating intended access controls.

Recommendations For lunary-ai/lunary version 1.2.5, as a temporary workaround, consider restricting access to the "GET /v1/users/me/org" endpoint until a patch is available. Additionally, review and enforce role definitions to prevent unauthorized access to sensitive user information. At the moment, there is no information about a newer version that contains a fix for this issue.