Sightline

High

lunary

Improper Access Control in User Role Update Functionality

An improper access control vulnerability was identified in lunary-ai/lunary version 1.2.2, allowing an admin to elevate any organization user to the role of organization owner. This elevation of privilege enables the newly promoted owner to delete projects within the organization. The issue was patched in version 1.2.7.

Available publicly on May 21 2024 | Available with Premium on Apr 09 2024

CVE:

CVE-2024-3504

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Credit:

fewword

Assess Detect

Premium

Remediate

Remediation Steps

Update to lunary-ai/lunary version 1.2.7 or later.
Review and adjust user roles within the organization to ensure they are appropriate.
Implement additional checks or controls to monitor and restrict role changes to prevent unauthorized role elevation.
Regularly audit user roles and permissions to detect and rectify any improper access control settings.

Patch Details

Fixed Version: 1.2.7
Patch Commit: https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.