IDOR Vulnerability in Template Version Management
An IDOR (Insecure Direct Object Reference) vulnerability was discovered in lunary-ai/lunary version 1.2.2, allowing unauthorized viewing and updating of any prompts in any projects. This issue was not specified as patched in the provided data.
Available publicly on May 20 2024
Threat Overview
The vulnerability arises from improper access control mechanisms in the template version management endpoints. Specifically, the PATCH and GET requests for template versions do not adequately verify the user's permissions for the specified project ID, allowing an attacker to view or modify template versions by manipulating the 'id' parameter in the request URL. This could lead to unauthorized access to sensitive project data or unauthorized modifications to project templates.
Attack Scenario
An attacker discovers the project ID of a target project and crafts a malicious PATCH or GET request with the project ID and a template version ID they wish to target. By sending this request to the server, the attacker can view or modify the content, extra parameters, test values, and draft status of the template version without proper authorization.
Who is affected
All users of lunary-ai/lunary version 1.2.2 are potentially affected by this vulnerability, as it allows unauthorized individuals to access and modify any project's template versions.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.