Improper Access Control in User Role Update Functionality
An improper access control vulnerability was identified in lunary-ai/lunary version 1.2.2, allowing an admin to elevate any organization user to the role of organization owner. This elevation of privilege enables the newly promoted owner to delete projects within the organization. The issue was patched in version 1.2.7.
Available publicly on May 21 2024 | Available with Premium on Apr 09 2024
Threat Overview
The vulnerability stems from inadequate verification of user roles when updating user information, specifically the role attribute. The system's failure to properly restrict role updates to authorized personnel (e.g., only allowing the organization's owner to make such changes) means that an admin, who should not have the authority to promote users to the owner level, can do so. This oversight can lead to unauthorized organizational control, including the deletion of critical projects.
Attack Scenario
An attacker with administrative access to the lunary-ai/lunary platform could exploit this vulnerability by sending a PATCH request to the user update endpoint, specifying a target user's ID and changing their role to 'owner'. This action would grant the targeted user all privileges associated with the owner role, including the ability to delete projects within the organization.
Who is affected
Organizations using lunary-ai/lunary version 1.2.2 are affected by this vulnerability. Specifically, this issue impacts organizations with multiple users, where unauthorized elevation of a user's role can lead to significant operational risks, including the unauthorized deletion of projects.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.