Medium Severity

lunary

Unauthorized Role Assignment and Project Joining in Free Plan

A vulnerability in lunary-ai/lunary allowed Free plan users to invite others with any role, including those exclusive to Paid and Enterprise plans, to join their project. This issue, present in version 1.2.2, was patched in version 1.2.25. It bypassed backend validation for roles and permissions, enabling unauthorized access control.

Available publicly on Jun 07 2024

5.4

CVE:

CVE-2024-5127

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Credit:

acciobugs
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure backend validation checks for user's plan before allowing role assignments during the invitation process.
  • Validate the organization's plan status when processing signup requests with the "join" method.
  • Implement role validation checks before inserting user objects into the database to prevent unauthorized role assignments.
  • Conduct a thorough audit of the access control and role management system to identify and rectify any similar vulnerabilities.
Patch Details
  • Fixed Version: 1.2.25
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/b7bd3a830a0f47ba07d0fd57bf78c4dd8a216297
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon