CVE-2024-1625

CVSS V2 None CVSS V3 None

Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.

Overview

CVE ID
CVE-2024-1625

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T17:07:55.385Z

Last Modified Date
2024-06-06T13:12:36.469Z

Weakness Enumerations

CWE	URL
CWE-863	http://cwe.mitre.org/data/definitions/863.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/cf6dd625-e6c9-44df-a072-13686816de21
https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bcec

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1625
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1625

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:28:41				Added to TrackCVE