CVE-2024-5127

June 6, 2024, 6:15 p.m.

5.4
Medium

Description

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data.

Product(s) Impacted

Product Versions
lunary-ai/lunary
  • 1.2.2 through 1.2.25

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/lunary-ai/lunary/commit/b7bd3a830a0f47ba07d0fd57bf78c4dd8a216297
https://huntr.com/bounties/719a5db3-f943-4100-a660-011cadf1bb32

Tags

CWE-284
security@huntr.dev
2024-06-06
CVE-2024-5127

CVSS Score

5.4 / 10

CVSS Data - 3.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: June 6, 2024, 6:15 p.m.
Last Modified: June 6, 2024, 6:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.