GHSA-X3VF-MGXJ-7785 Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Summary The PUT /api/1/roles/ handler in lemur/roles/views.py gates only on RoleMemberPermissionroleid.can, which is satisfied for any user who is already a member of the target role. The handler then passes data"users" and data"name" directly to service.update, permitting any role member to...