CVE-2024-8765

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version git afc5df4

Description The privilege check mechanism in lunary-ai/lunary is flawed, allowing unauthenticated attackers to access sensitive endpoints by including "/auth/" in the path. This is because the system incorrectly identifies certain endpoints as public if the path contains "/auth/" anywhere within it. As a result, attackers can obtain and modify sensitive data and utilize other organizations' resources without proper authentication.

Recommendations For version git afc5df4, consider restricting access to sensitive endpoints that may be incorrectly identified as public due to the presence of "/auth/" in their paths, until a proper fix is available. Additionally, as a temporary workaround, avoid using paths that contain "/auth/" for sensitive endpoints to minimize the risk of exploitation.