Access Control Flaw in Lunary-AI Product
CVE-2024-9096
7.1HIGH
What is CVE-2024-9096?
In lunary-ai's lunary version 1.4.28, a significant access control flaw exists in the /checklists/:id route. This vulnerability permits low-privilege users to alter checklists via PATCH requests without proper authorization checks. The absence of access controls allows any user associated with the project to modify critical checklist data, including changing slugs and altering data fields. Such unrestricted access can severely disrupt essential project workflows, compromise business logic, and potentially introduce errors that impact the overall integrity of the project.
Affected Version(s)
lunary-ai/lunary < 1.4.30
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved