Critical

lunary

Unauthorized Project Access in API

A vulnerability in versions v1.2.13 to 1.2.25 of the Lunary platform allowed users to access and manipulate projects within an organization to which they were not granted access. This issue was patched in version 1.2.26.

Available publicly on Jun 08 2024

9.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

antonin36330
Remediation Steps
  • Update to version 1.2.26 or later.
  • Review and adjust access controls and permissions for users within each project to ensure they are correctly set post-patch.
  • Audit logs for any suspicious activity that may indicate exploitation of this vulnerability.
  • Consider implementing additional layers of security checks to validate user permissions at the application level, beyond organizational membership.
Patch Details
  • Fixed Version: 1.2.26
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.