Improper Access Control in Template Version Retrieval
An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows unauthorized viewing of any project prompts by supplying a prompt ID. This issue affects version 1.2.2 and was patched in version 1.2.25.
Available publicly on May 20 2024 | Available with Premium on May 19 2024
Threat Overview
The vulnerability stems from the application's failure to validate whether a user requesting a prompt's details has the necessary permissions to view that prompt. Specifically, the endpoint responsible for fetching template version details does not verify if the provided prompt ID belongs to a project associated with the current user. This oversight allows an attacker to view sensitive information from any project by simply knowing or guessing the prompt ID.
Attack Scenario
An attacker discovers or guesses the ID of a prompt belonging to another user's project. They then make a request to the vulnerable endpoint, supplying the prompt ID. The application does not check if the attacker is authorized to view the prompt, resulting in the unauthorized disclosure of sensitive information.
Who is affected
Any user of the lunary-ai/lunary application version 1.2.2 is vulnerable to this issue. Unauthorized users can exploit this vulnerability to view sensitive project prompts that they should not have access to.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.