Persistent Access via Old Authorization Token After Removal from Organization
A vulnerability in lunary version 1.0.1 allowed members to read, create, modify, and delete templates even after being removed from an organization, by reusing an old authorization token. This issue was patched in version 1.2.8.
Available publicly on Apr 07 2024
Remediation Steps
- Ensure your lunary installation is updated to version 1.2.8 or later.
- Invalidate all existing authorization tokens after updating to ensure that any tokens issued under the vulnerable version are no longer usable.
- Review logs for any unauthorized access or modifications to templates, especially by users who were recently removed from organizations.
- Implement additional monitoring on template access and modifications to quickly detect and respond to unauthorized activities.
Patch Details
- Fixed Version: 1.2.8
- Patch Commit: https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.