Improper Access Control in Prompt Update Functionality
A vulnerability in the lunary-ai/lunary software allows unauthorized users to update prompts due to improper access control. This issue affects version 1.2.2 and was patched in version 1.2.25.
Available publicly on May 21 2024 | Available with Premium on May 19 2024
Threat Overview
The vulnerability stems from inadequate access control checks in the prompt update functionality. Specifically, the versions.patch method, which handles updates to template versions, does not properly verify the user's permissions before allowing the update operation. This oversight allows an attacker to modify the content, extra parameters, test values, and draft status of any template version by sending a specially crafted PATCH request.
Attack Scenario
An attacker discovers the endpoint for updating template versions and crafts a PATCH request with a new content, extra parameters, and other fields. By specifying the id of the template version they wish to modify, the attacker can bypass access controls and alter the template version's details without proper authorization.
Who is affected
All users of the lunary-ai/lunary software version 1.2.2 are potentially affected by this vulnerability, as unauthorized users could alter the content and settings of deployed prompts.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.