Session Reuse Vulnerability in Organization Name Change
A vulnerability in lunary-ai/lunary allowed users to change an organization's name using an old session token even after being removed from the organization. This issue affected versions up to 1.0.2 and was patched in version 1.2.8.
Available publicly on Apr 08 2024
Remediation Steps
- Update to version 1.2.8 or later.
- Review and audit current organization names for unauthorized changes.
- Implement additional checks to validate a user's membership status before processing requests affecting organizational data.
- Consider implementing a more robust session management system that invalidates session tokens upon significant role changes or removal from an organization.
Patch Details
- Fixed Version: 1.2.8
- Patch Commit: https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.