High

lunary

Improper Access Control in Template Version Retrieval

An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows unauthorized viewing of any project prompts by supplying a prompt ID. This issue affects version 1.2.2 and was patched in version 1.2.25.

Available publicly on May 20 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

fewword
Threat Overview

The vulnerability stems from the application's failure to validate whether a user requesting a prompt's details has the necessary permissions to view that prompt. Specifically, the endpoint responsible for fetching template version details does not verify if the provided prompt ID belongs to a project associated with the current user. This oversight allows an attacker to view sensitive information from any project by simply knowing or guessing the prompt ID.

Attack Scenario

An attacker discovers or guesses the ID of a prompt belonging to another user's project. They then make a request to the vulnerable endpoint, supplying the prompt ID. The application does not check if the attacker is authorized to view the prompt, resulting in the unauthorized disclosure of sensitive information.

Who is affected

Any user of the lunary-ai/lunary application version 1.2.2 is vulnerable to this issue. Unauthorized users can exploit this vulnerability to view sensitive project prompts that they should not have access to.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.