CVE-2024-3379

Incorrect Authorization in lunary-ai/lunary

CVSS 9.6 CRITICALEPSS 0.4%CWE-863

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.6EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Nov 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

lunary-ai · lunary-ai/lunary

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92