Unlimited User Creation Vulnerability in lunary version 1.2.2
CVE-2024-4153

4.3MEDIUM

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 22 May 2024

What is CVE-2024-4153?

A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Affected Version(s)

lunary-ai/lunary <= unspecified

References

https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2024
Vulnerability Reserved
Apr 24, 2024

JSON

Lunary-ai

What is CVE-2024-4153?

Affected Version(s)

References

CVSS V3.1

Timeline