Unauthorized Access via Broken Access Control in Lunary
CVE-2024-6582

4.3MEDIUM

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 13 September 2024

Summary

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The saml.ts file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Affected Version(s)

lunary-ai/lunary < 1.4.9

References

https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab5...

https://github.com/lunary-ai/lunary/commit/1f043d8798ad87...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 13, 2024
Vulnerability Reserved
Jul 8, 2024

Collectors

NVD DatabaseMitre Database