Persistent Access via Old Authorization Token After Removal from Organization
A vulnerability in lunary version 1.0.1 allowed members to read, create, modify, and delete templates even after being removed from an organization, by reusing an old authorization token. This issue was patched in version 1.2.8.
Available publicly on Apr 07 2024
Threat Overview
The core of this vulnerability lies in the improper invalidation of authorization tokens upon a user's removal from an organization. Typically, when a user is removed from an organization, their access to resources within that organization should be revoked immediately. However, due to a flaw in the lunary application, the old authorization tokens were not invalidated, allowing the removed user to continue accessing and manipulating project templates. This oversight could lead to unauthorized access and modification of sensitive data, posing significant security risks.
Attack Scenario
An attacker, previously a member of an organization within the lunary application, is removed from the organization but retains their old authorization token. The attacker then uses this token to send HTTP requests to the lunary web application, performing actions such as reading, creating, editing, and deleting prompt templates within the project they were removed from. This scenario assumes the attacker has knowledge of the HTTP request structure and possesses a valid, though supposedly invalidated, authorization token.
Who is affected
This vulnerability affects any users who have been removed from an organization within the lunary application but still possess their old authorization tokens. It also impacts the security posture of the organizations from which these users have been removed, as it allows for unauthorized access and manipulation of their data.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.