CVE-2024-6582

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to commit 1f043d8798ad87346dfe378eea723bff78ad7433

Description A broken access control issue exists in the saml.ts file, allowing a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Recommendations For versions prior to commit 1f043d8798ad87346dfe378eea723bff78ad7433, consider updating to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the saml.ts file to minimize the risk of exploitation. Avoid using the saml.ts file to update IDP settings or view SSO metadata for other organizations until the issue is resolved.