High

lunary

Session Reuse Vulnerability in Organization Name Change

A vulnerability in lunary-ai/lunary allowed users to change an organization's name using an old session token even after being removed from the organization. This issue affected versions up to 1.0.2 and was patched in version 1.2.8.

Available publicly on Apr 08 2024

7.5

CVE:

CVE-2024-1902

CWE:

821:Incorrect Synchronization

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Credit:

surayp
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to version 1.2.8 or later.
  • Review and audit current organization names for unauthorized changes.
  • Implement additional checks to validate a user's membership status before processing requests affecting organizational data.
  • Consider implementing a more robust session management system that invalidates session tokens upon significant role changes or removal from an organization.
Patch Details
  • Fixed Version: 1.2.8
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.