CVE-2024-4146 – lunary

Package

Manager: npm
Name: lunary
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0011 pctl0.30019

Details

lunary-ai/lunary allows users unauthorized access to projects Withdrawn: This advisory was incorrectly linked the the npm package `lunary`. The advisory is valid, but not for that packlage. In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

Metadata

Created: 2024-06-08T21:30:38Z
Modified: 2024-11-18T19:40:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-w5xm-mx47-v7c8/GHSA-w5xm-mx47-v7c8.json
CWE IDs: ["CWE-285", "CWE-863"]
Alternative ID: GHSA-w5xm-mx47-v7c8
Finding: N/A
Auto approve: 0