CVE-2024-1741

Published: Apr 10, 2024

Modified: Jan 31, 2025

PUBLISHED

CVSS v3.0

9.1

CRITICAL

Description

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data.

Vendor	Product	Versions
lunary-ai	lunary-ai/lunary	affected `unspecified - < 1.2.8`

Weaknesses (CWE)

CWE-863

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b

https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-1741

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References