Project Renaming by Unprivileged User
An unprivileged user can rename a project in the Lunary application version 1.2.2. This vulnerability allows a user with 'Member' role to rename projects they should not have access to. The issue was identified in the application's handling of project renaming requests. It was patched in the subsequent release following version 1.2.2.
Available publicly on May 21 2024
Threat Overview
The vulnerability arises from the application's failure to properly verify the permissions of a user attempting to rename a project. Specifically, when a 'Member' role user sends a PATCH request to the project's endpoint with a new name, the application does not check if the user has the necessary permissions to perform this action. This oversight allows any user with knowledge of a project's ID to rename it, regardless of their assigned role or permissions.
Attack Scenario
An attacker, having the role of a 'Member' within the Lunary application, discovers the ID of a project they do not have access to. The attacker then crafts a PATCH request with the project ID and a new name for the project. By sending this request to the application's server, the attacker can rename the project without having the appropriate permissions, potentially causing confusion or unauthorized changes to project settings.
Who is affected
This vulnerability affects all users of the Lunary application version 1.2.2, particularly administrators and project owners who may find their projects renamed without authorization. It undermines the integrity of project management and control within the application.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.