Unauthorized Access via Broken Access Control in Lunary

CVE-2024-6582

4.3MEDIUM

Key Information

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 13 September 2024

Summary

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Affected Version(s)

lunary-ai/lunary < 1.4.9

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 4.3 to: 6.5 - (MEDIUM)
Nov 3, 2024
Risk change from: null to: 6.5 - (MEDIUM)
Sep 13, 2024
Vulnerability published.
Sep 13, 2024
Vulnerability Reserved.
Jul 8, 2024

Collectors

NVD DatabaseMitre Database