Lucene search

[email protected]NVD:CVE-2024-1626

HistoryApr 16, 2024 - 12:15 a.m.

CVE-2024-1626

2024-04-1600:15:09

CWE-250

[email protected]

web.nvd.nist.gov

idor

lunary-ai/lunary

version 0.3.0

project update endpoint

authenticated users

patch request

'/v1/projects/:projectid' endpoint

authorization checks

unauthorized modifications

organizational projects

cve-2024-1626

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project’s ID in the PATCH request to the ‘/v1/projects/:projectId’ endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.

References

github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d58572bc

huntr.com/bounties/ccc291db-ae9c-403c-b6b5-6fe3f4800933

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-1626

cve1 cvelist1 vulnrichment1 osv1