Unlimited User Creation Vulnerability in lunary version 1.2.2
CVE-2024-4153

4.3MEDIUM

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 22 May 2024

What is CVE-2024-4153?

A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lunary-ai/lunary <= unspecified

References

https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2024
Vulnerability Reserved
Apr 24, 2024

JSON

Lunary-ai