High

lunary

Session Reuse Vulnerability in Organization Name Change

A vulnerability in lunary-ai/lunary allowed users to change an organization's name using an old session token even after being removed from the organization. This issue affected versions up to 1.0.2 and was patched in version 1.2.8.

Available publicly on Apr 08 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Credit:

surayp
Threat Overview

The vulnerability stems from the lack of validation to check if a user, who is issuing a request to change an organization's name, is currently a member of that organization. An attacker could exploit this by using an old session token, which was issued before they were removed from the organization, to authorize a request to change the organization's name. This could lead to unauthorized changes to organization details, potentially causing confusion or misuse of the organization's identity.

Attack Scenario

An attacker, previously a member of an organization, is removed by an admin. However, the attacker had previously saved their authorization token. Despite their removal, they use this token to send a PATCH request to the organization's endpoint, changing the organization's name without authorization. This is possible because the system does not verify if the user associated with the token is still a member of the organization at the time of the request.

Who is affected

Any organization using lunary-ai/lunary versions up to 1.0.2 could be affected by this vulnerability. Specifically, organizations are at risk from former members who still possess valid session tokens and could exploit this oversight to make unauthorized changes.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.