High Severity

lunary

Improper Access Control in User Role Update Functionality

An improper access control vulnerability was identified in lunary-ai/lunary version 1.2.2, allowing an admin to elevate any organization user to the role of organization owner. This elevation of privilege enables the newly promoted owner to delete projects within the organization. The issue was patched in version 1.2.7.

Available publicly on May 21 2024

8.1

CVE:

CVE-2024-3504

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Credit:

fewword
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to lunary-ai/lunary version 1.2.7 or later.
  • Review and adjust user roles within the organization to ensure they are appropriate.
  • Implement additional checks or controls to monitor and restrict role changes to prevent unauthorized role elevation.
  • Regularly audit user roles and permissions to detect and rectify any improper access control settings.
Patch Details
  • Fixed Version: 1.2.7
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon