Critical

lunary

Unauthorized Project Access in API

A vulnerability in versions v1.2.13 to 1.2.25 of the Lunary platform allowed users to access and manipulate projects within an organization to which they were not granted access. This issue was patched in version 1.2.26.

Available publicly on Jun 08 2024

9.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

antonin36330
Threat Overview

The core of the vulnerability lies in the improper authorization check within the checkProjectAccess method. This method incorrectly assumes that if a user is part of the organization owning a project, they are authorized to access all projects within that organization. It neglects to verify the user's specific permissions for each project, leading to unauthorized access. This flaw can be exploited to gain control over project resources, compromising the confidentiality, integrity, and availability of the project's data and functionality.

Attack Scenario

An attacker, after being invited to one project within an organization, captures their own authorized HTTP request to modify a project resource. The attacker then modifies this request to target a different project within the same organization, one to which they do not have access, and replays it using their legitimate access token. This exploitation allows the attacker to bypass intended access controls and perform unauthorized operations on the targeted project.

Who is affected

Any user or project within the Lunary platform version v1.2.13 to 1.2.25 could be affected by this vulnerability. Specifically, projects that are part of an organization and have multiple users with varying levels of access permissions are at risk. Users with limited permissions could exploit this vulnerability to gain unauthorized access to other projects within the same organization.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.