Unauthorized Access to Org User List by Prompt Editor Role
A vulnerability in lunary version 1.2.5 allowed users with the 'Prompt Editor' role to access the full list of organization users, despite not having explicit permissions to do so. This issue was identified in the endpoint `GET /v1/users/me/org` which lacked proper access control checks. The affected version is 1.2.5, and the issue has been patched in subsequent releases.
Available publicly on May 24 2024
Threat Overview
The vulnerability stems from an improper access control implementation in the lunary platform. Specifically, the endpoint GET /v1/users/me/org
did not include a necessary access control check (checkAccess("teamMembers", "read")
) to verify if the requesting user has the permission to read team member information. As a result, users assigned the 'Prompt Editor' role, which is intended to have limited access primarily to prompt management and project viewing, were able to retrieve a full list of users within their organization. This exposure of sensitive information could potentially be exploited by malicious actors within an organization to escalate privileges or conduct targeted attacks.
Attack Scenario
An attacker with access to a 'Prompt Editor' account within the lunary platform could exploit this vulnerability by sending a specially crafted HTTP GET request to the GET /v1/users/me/org
endpoint. By including a valid authorization token for the 'Prompt Editor' role in the request headers, the attacker would receive a response containing the full list of users in the organization, including their roles and permissions, despite not having explicit permission to access this information.
Who is affected
The vulnerability specifically affects organizations using lunary version 1.2.5, where users with the 'Prompt Editor' role could gain unauthorized access to sensitive information about other users within the same organization. This could potentially impact the privacy and security of all users within the affected organizations.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.